Add boot-time env assertions + fix ci.yml for post-webapp layout

Closes gap-analysis v2 §8.1 / §8.4 / §8.6 and §10.1 / §10.2. - assertProductionEnv() in config/env.ts fails-fast in NODE_ENV=production when SESSION_SECRET / EVENT_BUS_HMAC_SECRET / CHAIN_138_RPC_URL / NOTARY_REGISTRY_ADDRESS / ORCHESTRATOR_PRIVATE_KEY / DATABASE_URL is missing or uses the dev placeholder. Catches the silent-degrade-to-mock failure mode that would turn the Ledger Anchor back into a lie. - New EVENT_BUS_HMAC_SECRET env added to the schema. - .github/workflows/ci.yml rewritten: portal jobs target repo root (not the removed webapp/ gitlink), orchestrator type-check + test job added, contracts jobs kept as-is. - 7 unit tests for assertProductionEnv; full suite 87/87 green.
2026-04-22 18:06:08 +00:00
parent b66ec0a78f
commit d6d74f2267
4 changed files with 287 additions and 93 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,139 +7,132 @@ on:
    branches: [main, develop]

 jobs:
-  # Frontend CI
-  frontend-lint:
-    name: Frontend Lint
+  # -------------------------------------------------------------------------
+  # Portal (Vite + React, lives at repo root after the webapp/ gitlink was
+  # removed in PR #4)
+  # -------------------------------------------------------------------------
+  portal-lint:
+    name: Portal Lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
-          node-version: "18"
+          node-version: "20"
          cache: "npm"
-          cache-dependency-path: webapp/package-lock.json
-      - name: Install dependencies
-        working-directory: webapp
-        run: npm ci
-      - name: Lint
-        working-directory: webapp
-        run: npm run lint
+      - run: npm ci
+      - run: npm run lint

-  frontend-type-check:
-    name: Frontend Type Check
+  portal-type-check:
+    name: Portal Type Check
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
-          node-version: "18"
+          node-version: "20"
          cache: "npm"
-          cache-dependency-path: webapp/package-lock.json
-      - name: Install dependencies
-        working-directory: webapp
-        run: npm ci
-      - name: Type check
-        working-directory: webapp
-        run: npx tsc --noEmit
+      - run: npm ci
+      - run: npx tsc --noEmit

-  frontend-build:
-    name: Frontend Build
+  portal-build:
+    name: Portal Build
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
-          node-version: "18"
+          node-version: "20"
          cache: "npm"
-          cache-dependency-path: webapp/package-lock.json
-      - name: Install dependencies
-        working-directory: webapp
-        run: npm ci
-      - name: Build
-        working-directory: webapp
-        run: npm run build
-      - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
+      - run: npm ci
+      - run: npm run build
+      - uses: actions/upload-artifact@v4
        with:
-          name: frontend-build
-          path: webapp/.next
+          name: portal-dist
+          path: dist

-  frontend-e2e:
-    name: Frontend E2E Tests
+  # -------------------------------------------------------------------------
+  # Orchestrator (TypeScript + Express + Jest)
+  # -------------------------------------------------------------------------
+  orchestrator-type-check:
+    name: Orchestrator Type Check
    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: orchestrator
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
-          node-version: "18"
+          node-version: "20"
          cache: "npm"
-          cache-dependency-path: webapp/package-lock.json
-      - name: Install dependencies
-        working-directory: webapp
-        run: npm ci
-      - name: Install Playwright
-        working-directory: webapp
-        run: npx playwright install --with-deps
-      - name: Run E2E tests
-        working-directory: webapp
-        run: npm run test:e2e
-      - name: Upload test results
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: playwright-report
-          path: webapp/playwright-report/
+          cache-dependency-path: orchestrator/package-lock.json
+      - run: npm ci
+      - run: npx tsc --noEmit

-  # Orchestrator CI
  orchestrator-build:
    name: Orchestrator Build
    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: orchestrator
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
-          node-version: "18"
+          node-version: "20"
          cache: "npm"
          cache-dependency-path: orchestrator/package-lock.json
-      - name: Install dependencies
-        working-directory: orchestrator
-        run: npm ci
-      - name: Build
-        working-directory: orchestrator
-        run: npm run build
+      - run: npm ci
+      - run: npm run build

-  # Smart Contracts CI
+  orchestrator-test:
+    name: Orchestrator Test
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: orchestrator
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+          cache-dependency-path: orchestrator/package-lock.json
+      - run: npm ci
+      - run: npm test -- --ci
+
+  # -------------------------------------------------------------------------
+  # Smart Contracts (Hardhat)
+  # -------------------------------------------------------------------------
  contracts-compile:
    name: Contracts Compile
    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: contracts
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
-          node-version: "18"
+          node-version: "20"
          cache: "npm"
          cache-dependency-path: contracts/package-lock.json
-      - name: Install dependencies
-        working-directory: contracts
-        run: npm ci
-      - name: Compile contracts
-        working-directory: contracts
-        run: npm run compile
+      - run: npm ci
+      - run: npm run compile

  contracts-test:
    name: Contracts Test
    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: contracts
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
        with:
-          node-version: "18"
+          node-version: "20"
          cache: "npm"
          cache-dependency-path: contracts/package-lock.json
-      - name: Install dependencies
-        working-directory: contracts
-        run: npm ci
-      - name: Run tests
-        working-directory: contracts
-        run: npm run test
-
+      - run: npm ci
+      - run: npm run test