The worker runs worker/index.ts under tsx (plain Node) and transitively
imports lib/flags (and other server-only-guarded modules) via the generation
pipeline. `server-only` resolves to its throwing index.js outside Next's RSC
bundler, crash-looping the worker container. Copy the package's empty.js over
index.js in the final image so the runtime import is a no-op; the build-time
client/server guard already ran during `next build`. Web is unaffected.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The security-hardening pass tightened lib/auth/auth.ts to reject secrets
shorter than 32 chars (or known placeholders) in production. next build
evaluates that guard while collecting page data for /api/auth/[...all], so
the old 21-char "build-time-placeholder" now fails the build. Lengthen the
throwaway build-only value to satisfy the guard; the real secret is still
injected at run time and never baked into the image.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
publicUrl() defaulted MEDIA_BASE to "/media" even with no env set, so cover
art on public share pages pointed at a /media path that only the old nginx
(Plesk) box served. In the containerized Coolify/Docker deploy nothing serves
/media, breaking those images. Return null when MEDIA_PUBLIC_BASE_URL is unset
so callers fall back to the app's own /api/public/.../cover route (the deploy
README already documents assets as app-served). Backward compatible: behavior
is unchanged when the env var is set.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.
- Runtime validation (zod) for client-supplied admin actions (role/plan/
limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
race-safe subscription upsert; only count "processed" webhook events as
handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
anonymous public audio/cover endpoints by client IP
Ship the Podcast Distribution AI wordmark as real assets and replace the
Mic-tile + text placeholder everywhere it appeared.
- public/logo-dark.png (dark wordmark, for light backgrounds) and
public/logo-light.png (light wordmark, for dark backgrounds)
- New <Logo> component swaps the two via Tailwind dark: variants, so the
dark logo shows on all non-themed surfaces (marketing, auth, admin,
public share) and the light logo only in dark-mode app surfaces
- Wire <Logo> into the marketing header/footer, auth layout, app header
(default branch only - white-label org logos untouched), admin header
(+ Admin badge), and the public share page
- Favicon via App Router file convention: app/icon.png + app/apple-icon.png
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Leon Serfaty