Review Scope
- reproducible builds
- health check coverage
- environment variable safety
- runtime compatibility
Current Render Hardening
render.yaml now includes:
- frozen lockfile install in build command
- explicit health check path:
/api/health - generated secrets for JWT/session in Render
- secret-backed DealDash Agent Bridge env slots:
DEALDASH_AGENT_SERVICE_SECRETDEALDASH_AGENT_APPROVAL_CONFIRM_SECRET
Deployment Ownership Clarification
- canonical production app runtime: Render
- canonical production data/auth: Supabase
- OpenClaw control plane: Hostinger VPS node
- no active Vercel deployment artifacts are maintained in this repo
Checklist
- build uses deterministic dependency install
- app exposes reliable health endpoint
- no secrets committed in repository
- production origin and short-link domain configured correctly
- deployment docs clearly identify Render/Supabase as canonical production path
Suggested Operational Verification
- deploy latest commit
- verify health endpoint in Render dashboard
- verify short-link redirects and auth-protected routes
- verify background jobs start without runtime errors