Fix Render deployment: Docker server/ copy, same-origin frontend, config diagnostics

- Dockerfile runtime stage was missing the server/ directory, causing a
  module-not-found crash on boot (server.js requires ./server/*).
- Frontend no longer hard-throws when VITE_API_URL is unset; empty base URL
  now correctly means same-origin requests for single-service deployments.
- Add startup [Config] log summary so Stripe/email live-vs-mock state is
  visible in logs.
- Add render.yaml blueprint and RENDER.md with the full env-var reference.

Author: claude

Dockerfile

@@ -30,6 +30,7 @@ RUN npm ci --omit=dev \
   && npm cache clean --force
 
 COPY server.js ./
+COPY server ./server
 COPY --from=builder /app/dist ./dist
 
 # Runtime directories (uploads ephemeral; /data intended for SQLite volume mounts)

RENDER.md

@@ -0,0 +1,98 @@
+# Deploying SpectraCleanse AI on Render
+
+This is the complete environment-variable reference and setup guide for running
+SpectraCleanse AI on [Render](https://render.com). It explains why Stripe and
+email verification may appear "not working" and exactly how to fix it.
+
+## Why Stripe / email verification aren't working
+
+The server changes behavior based on `NODE_ENV` and which secrets are present:
+
+- **If `NODE_ENV` is NOT `production`** the server enables **mock checkout**
+  (Stripe is bypassed and returns a fake success URL — no real charge) and
+  **dev-fallback email** (verification/reset emails are only logged, never
+  sent). This is almost always the cause of "Stripe and email aren't working."
+- **If `NODE_ENV` is `production` but Stripe vars are missing**, the server
+  exits on boot with `FATAL: Stripe is not fully configured in production.`
+- **If SMTP vars are missing in production**, account creation still works but
+  verification/reset emails fail to send.
+
+After deploying, open your Render service **Logs** and look for the
+`[Config]` summary printed at startup — it tells you whether Stripe and Email
+are actually live or running in mock/fallback mode.
+
+## Required environment variables
+
+Set these in **Render → your service → Environment**. (If you deploy via the
+included `render.yaml` blueprint, the keys are pre-created and you just fill in
+the secret values.)
+
+### Core
+
+| Variable | Required | Value / Notes |
+|---|---|---|
+| `NODE_ENV` | ✅ | `production` — **this is the single most important one.** Turns off mock checkout and dev-email fallback. |
+| `JWT_SECRET` | ✅ | A long random string. Generate: `node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"` |
+| `FRONTEND_URL` | ✅ | Your public URL, e.g. `https://spectracleanseai.onrender.com`. Used for CORS, Stripe redirect URLs, and email links. |
+| `DB_PATH` | ✅ | `/data/spectra.db` — must point at a **persistent disk** or data is wiped on every deploy. |
+| `PORT` | Auto | Render injects this automatically; the server reads it. Do not hard-code. |
+| `APP_BASE_URL` | Optional | Base URL for email links. Falls back to `FRONTEND_URL`, so usually unnecessary. |
+| `ALLOWED_ORIGINS` | Optional | Comma-separated extra CORS origins. Only needed if the frontend is on a different domain than the API. |
+
+### Stripe — all four required for live checkout
+
+| Variable | Where to find it |
+|---|---|
+| `STRIPE_SECRET_KEY` | Stripe Dashboard → Developers → API keys → Secret key (`sk_live_…`) |
+| `STRIPE_WEBHOOK_SECRET` | Stripe Dashboard → Developers → Webhooks → your endpoint → Signing secret (`whsec_…`) |
+| `STRIPE_CREATOR_PRICE_ID` | Stripe → Products → Creator plan → Price ID (`price_…`) |
+| `STRIPE_STUDIO_PRICE_ID` | Stripe → Products → Studio plan → Price ID (`price_…`) |
+
+If **any** of these four is missing, the server treats Stripe as unconfigured.
+
+### Email / SMTP — all five required to send mail
+
+| Variable | Notes |
+|---|---|
+| `SMTP_HOST` | e.g. `smtp.sendgrid.net`, `smtp.resend.com`, `smtp.gmail.com` |
+| `SMTP_PORT` | `587` (STARTTLS) or `465` (implicit TLS) |
+| `SMTP_USER` | SMTP username (for SendGrid the literal string `apikey`) |
+| `SMTP_PASS` | SMTP password / API key |
+| `SMTP_FROM` | From address, e.g. `SpectraCleanse <no-reply@spectracleanse.com>` |
+
+If **any** of these five is missing, verification/reset emails won't send in production.
+
+### Optional
+
+| Variable | Notes |
+|---|---|
+| `GEMINI_API_KEY` | Only needed for the AI SEO-generation feature. |
+| `VITE_API_URL` | Build-time only. Leave **unset** for the default same-origin deployment. Set it only if you host the frontend separately from the API. |
+
+## Setup steps
+
+1. **Create the service.** Use the included `render.yaml` (New → Blueprint) or
+   create a Web Service with **Runtime: Docker** pointing at this repo's
+   `Dockerfile`.
+2. **Add a persistent disk** mounted at `/data` (≥1 GB) so the SQLite database
+   survives deploys. Set `DB_PATH=/data/spectra.db`.
+3. **Fill in all environment variables** from the tables above.
+4. **Deploy**, then check `https://<your-service>.onrender.com/api/health` →
+   `{"status":"ok"}`.
+5. **Configure the Stripe webhook.** In Stripe → Developers → Webhooks, add an
+   endpoint at `https://<your-service>.onrender.com/api/stripe-webhook` and
+   subscribe to `checkout.session.completed` and `customer.subscription.deleted`.
+   Copy its signing secret into `STRIPE_WEBHOOK_SECRET` and redeploy.
+6. **Verify the logs.** The startup `[Config]` lines should show Stripe and
+   Email as `configured`.
+
+## Quick checklist
+
+- [ ] `NODE_ENV=production`
+- [ ] `JWT_SECRET` set to a strong random value
+- [ ] `FRONTEND_URL` = your Render URL
+- [ ] Persistent disk at `/data` + `DB_PATH=/data/spectra.db`
+- [ ] All 4 `STRIPE_*` vars set
+- [ ] Stripe webhook endpoint created and `STRIPE_WEBHOOK_SECRET` set
+- [ ] All 5 `SMTP_*` vars set
+- [ ] `/api/health` returns ok and logs show Stripe + Email `configured`

app.tsx

@@ -19,13 +19,13 @@ import {
   type SavedReleaseDefaults,
 } from './src/utils/releaseDefaults';
 
+// When the frontend and API are served from the same origin (the default
+// single-service Render/Docker deployment), an empty base URL means requests
+// are made relative to the current origin. Only set VITE_API_URL when the API
+// is hosted on a different origin than the frontend.
 const API_BASE_URL =
   import.meta.env.VITE_API_URL ||
   (import.meta.env.DEV ? 'http://localhost:3001' : '');
-
-if (!API_BASE_URL) {
-  throw new Error('Missing VITE_API_URL in production build');
-}
 const PLATFORMS = ['General', 'YouTube', 'Spotify', 'Apple Music', 'TikTok'] as const;
 type Platform = typeof PLATFORMS[number];
 type ItemStatus = 'pending' | 'analyzing' | 'processing' | 'done' | 'error';

render.yaml

@@ -0,0 +1,58 @@
+# Render Blueprint for SpectraCleanse AI
+# Deploy: Render Dashboard → New → Blueprint → connect this repo.
+# Secrets (sync: false) must be filled in the Render dashboard after the first deploy.
+services:
+  - type: web
+    name: spectracleanseai
+    runtime: docker
+    dockerfilePath: ./Dockerfile
+    plan: starter
+    healthCheckPath: /api/health
+    # Persistent disk for the SQLite database. Without this, ALL user accounts
+    # and data are wiped on every deploy/restart.
+    disk:
+      name: spectra-data
+      mountPath: /data
+      sizeGB: 1
+    envVars:
+      # ── Core ────────────────────────────────────────────────────────────────
+      - key: NODE_ENV
+        value: production
+      - key: DB_PATH
+        value: /data/spectra.db
+      - key: JWT_SECRET
+        generateValue: true            # Render generates a strong random value
+      # Your public Render URL, e.g. https://spectracleanseai.onrender.com
+      # Used for CORS, Stripe success/cancel URLs, and email verification links.
+      - key: FRONTEND_URL
+        sync: false
+      - key: APP_BASE_URL
+        sync: false                    # Optional; falls back to FRONTEND_URL
+      - key: ALLOWED_ORIGINS
+        sync: false                    # Optional; only if a separate frontend domain
+
+      # ── Stripe (ALL FOUR required for live checkout) ────────────────────────
+      - key: STRIPE_SECRET_KEY
+        sync: false
+      - key: STRIPE_WEBHOOK_SECRET
+        sync: false
+      - key: STRIPE_CREATOR_PRICE_ID
+        sync: false
+      - key: STRIPE_STUDIO_PRICE_ID
+        sync: false
+
+      # ── Email / SMTP (ALL FIVE required to send verification/reset mail) ─────
+      - key: SMTP_HOST
+        sync: false
+      - key: SMTP_PORT
+        value: "587"
+      - key: SMTP_USER
+        sync: false
+      - key: SMTP_PASS
+        sync: false
+      - key: SMTP_FROM
+        sync: false
+
+      # ── Optional ────────────────────────────────────────────────────────────
+      - key: GEMINI_API_KEY
+        sync: false                    # Only needed for AI SEO generation

server.js

@@ -764,7 +764,28 @@ if (fs.existsSync(distPath)) {
 }
 
 const PORT = process.env.PORT || 3001;
-app.listen(PORT, () => console.log(`SpectraCleanse backend on :${PORT}`));
+app.listen(PORT, () => {
+  console.log(`SpectraCleanse backend on :${PORT}`);
+  // Startup config summary – check these lines in your host's logs to confirm
+  // Stripe and email are actually live (not running in mock / dev-fallback mode).
+  console.log(`[Config] NODE_ENV=${process.env.NODE_ENV || '(unset → non-production defaults)'}`);
+  console.log(
+    `[Config] Stripe: ${
+      STRIPE_CONFIGURED
+        ? 'configured (live checkout)'
+        : `NOT configured${ENABLE_MOCK_CHECKOUT ? ' (mock checkout enabled – no real charges)' : ''}`
+    }`
+  );
+  console.log(
+    `[Config] Email/SMTP: ${
+      isEmailDeliveryConfigured()
+        ? 'configured (verification & reset emails will send)'
+        : 'NOT configured (verification/reset emails will NOT send)'
+    }`
+  );
+  console.log(`[Config] Gemini SEO: ${process.env.GEMINI_API_KEY ? 'configured' : 'NOT configured'}`);
+  console.log(`[Config] CORS origins: ${[...allowedOrigins].join(', ') || '(none)'}`);
+});
 
 process.on('exit',    () => { exiftool.end(); db.close(); });
 process.on('SIGTERM', () => { exiftool.end(); db.close(); process.exit(0); });