Fix Render deployment for Stripe & email verification

[ChrisAdamsdevelopment]

Why Stripe and email verification "aren't working"

The server silently switches into mock/dev-fallback mode unless the right environment is set:

• When NODE_ENV is not production, checkout returns a fake success URL (no real Stripe charge) and verification/reset emails are only logged, never sent.
• When NODE_ENV=production but Stripe vars are missing, the server exits on boot.

So the fix is almost entirely environment configuration on Render — documented below — plus a few real code bugs found along the way.

Code fixes in this PR

1. Dockerfile dropped the entire server/ directory at runtime. The runtime stage copied only server.js + dist, but server.js requires ./server/processor, ./server/emailService, etc. → MODULE_NOT_FOUND crash on boot when deployed via Docker. Now copies server/.
2. Frontend hard-crashed without a build-time VITE_API_URL. It throws on an empty base URL, but for a single-service (same-origin) Render deploy the correct value is empty (relative requests). Removed the throw so same-origin "just works"; VITE_API_URL is now only needed when the frontend is hosted on a separate domain.
3. No visibility into live-vs-mock state. Added a startup [Config] log summary showing whether Stripe, Email, and Gemini are actually configured — so the logs immediately tell you if you're in mock mode.

New docs / blueprint

• render.yaml — Render Blueprint with a persistent disk for SQLite and all env-var keys pre-created.
• RENDER.md — full environment-variable reference and step-by-step setup, including the Stripe webhook.

Required env vars on Render (summary)

Core: NODE_ENV=production, JWT_SECRET, FRONTEND_URL, DB_PATH=/data/spectra.db (+ persistent disk).
Stripe (all 4): STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_CREATOR_PRICE_ID, STRIPE_STUDIO_PRICE_ID.
Email (all 5): SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS, SMTP_FROM.
Optional: GEMINI_API_KEY.

Testing

• node --check server.js passes.
• npm run build (tsc + vite) passes cleanly.

https://claude.ai/code/session_01Db78Ftpd21HmNSHHi6hwYS

---

Generated by Claude Code

Summary by Sourcery

Improve production deployment reliability and configuration visibility for Stripe, email, and Render-based deployments.

Bug Fixes:

• Ensure Docker runtime image includes the server directory so the backend can boot correctly.
• Allow production builds to run without VITE_API_URL when the frontend and API are served from the same origin.

Enhancements:

• Log a startup configuration summary indicating live vs. mock status for Stripe, email, Gemini, and CORS origins.
• Upgrade exiftool-vendored and nodemailer dependencies to newer versions.

Documentation:

• Add a Render deployment guide detailing required environment variables and setup steps for Stripe, email, and persistence.
• Introduce a Render blueprint file defining the Docker web service, persistent disk, and environment variable keys.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
spectracleanseai	Ready	Preview, Comment, Open in v0	Jun 1, 2026 4:59am

[sourcery-ai]

Reviewer's Guide

Fixes production deployment behavior and observability for Stripe/email on Render by copying the server directory into the Docker runtime image, relaxing the VITE_API_URL requirement for same-origin deployments, adding a startup config summary log, and introducing Render-specific docs and blueprint files.

Flow diagram for API_BASE_URL resolution in app.tsx

graph TD
  Start[Start app.tsx]
  CheckEnv[Read import.meta.env.VITE_API_URL]
  HasViteApiUrl{VITE_API_URL set?}
  DevMode{DEV mode?}
  UseEnv[Set API_BASE_URL to VITE_API_URL]
  UseLocalhost[Set API_BASE_URL to http://localhost:3001]
  UseRelative["Set API_BASE_URL to empty string (same-origin)"]

  Start --> CheckEnv --> HasViteApiUrl
  HasViteApiUrl -->|yes| UseEnv
  HasViteApiUrl -->|no| DevMode
  DevMode -->|yes| UseLocalhost
  DevMode -->|no| UseRelative

Loading

File-Level Changes

Change	Details	Files
Add a startup configuration summary log so operators can quickly see whether Stripe, email, Gemini, and CORS are configured or running in mock/fallback mode.	Wrap app.listen callback to log startup configuration details Log NODE_ENV with a clear fallback description when unset Log Stripe status based on STRIPE_CONFIGURED and ENABLE_MOCK_CHECKOUT flags Log email delivery status via isEmailDeliveryConfigured() Log Gemini configuration based on GEMINI_API_KEY presence Log allowed CORS origins from the allowedOrigins set	server.js
Allow frontend builds to operate without VITE_API_URL when API and frontend share the same origin, while keeping localhost override for development.	Document same-origin behavior and when to set VITE_API_URL Define API_BASE_URL to prefer VITE_API_URL, fall back to localhost:3001 in dev, and empty string in production for relative URLs Remove runtime error thrown when API_BASE_URL is empty in production	app.tsx
Ensure Docker runtime image contains the server directory needed at boot time.	Copy the server directory into the runtime image alongside server.js Retain dist assets from the builder stage for serving the frontend	Dockerfile
Update dependencies related to media metadata handling and email sending.	Bump exiftool-vendored to a newer major/minor version Bump nodemailer to a newer major/minor version	package.json package-lock.json
Add Render-specific deployment documentation and a blueprint for a Docker-based web service with a persistent disk and env var scaffolding.	Create RENDER.md with full environment variable reference, behavior explanation, and deployment steps for Render Add render.yaml blueprint defining Docker runtime web service, health check path, persistent disk, and pre-created env vars including Stripe, SMTP, and optional Gemini/API config	RENDER.md render.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[ChrisAdamsdevelopment]

Folded into #48 per the decision to ship everything as a single PR. The Render deploy fixes and security upgrades from this branch were merged into buildout/full-codebase-roadmap (merge commit db230a6):

• Dockerfile COPY server ./server crash-fix
• same-origin frontend (no required VITE_API_URL)
• startup [Config] diagnostics (coexists with Roadmap buildout: rate limiting, history, drag-drop, onboarding, admin #48's /api/health)
• nodemailer ^8.0.10 + exiftool-vendored ^35.21.0 (audit-clean; Roadmap buildout: rate limiting, history, drag-drop, onboarding, admin #48 already had close versions)
• render.yaml + RENDER.md

Closing this one — review and merge #48 instead. Verified after merge: 28/28 tests pass, npm audit --audit-level=high clean, build OK, server boots, and /admin returns 401 without the ADMIN_SECRET bearer token / 200 with it.

---

Generated by Claude Code