feat(scratchnode): lock NodeBench private handoff

[HomenShum]

Summary

• lock the ScratchNode Live ↔ NodeBench AI product boundary in docs
• add deterministic ScratchNode v5 → NodeBench private event notebook handoff URLs
• extend live backend dogfood to enforce scratchnode.live/public and nodebenchai.com/private URL boundaries

Verification

• npx tsc --noEmit --pretty false
• npx vitest run convex/events.runtime-boundary.test.ts
• npm run build
• local patched home-v5 + real Convex config: npm run dogfood:proto-live-backend (3 passed)

Known existing harness gap

• npx vitest run convex/tests/scratchnode.events.test.ts is blocked by unresolved convex-test in the current install, despite package.json declaring it. This branch does not touch that harness.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nodebench-ai	Ready	Preview, Comment	May 27, 2026 5:07pm

[augmentcode]

🤖 Augment PR Summary

Summary: Locks the ScratchNode Live (public) ↔ NodeBench AI (private) boundary and adds deterministic handoff URLs from the ScratchNode v5 proto into NodeBench private event notebooks.

Changes:

• Adds an architecture doc clarifying public/private surfaces, the URL contract, data boundary, trace expectations, and QA gates.
• Updates public/proto/home-v5.html to compute a canonical NodeBench workspace base URL and to build private-event + sign-in handoff URLs.
• Adds “Continue in NodeBench” entrypoints in the menu, notes sheet, and sign-in sheet.
• Extends the Playwright dogfood spec to assert boundary invariants (no scratchnode.com regression) and verify the NodeBench handoff UI/URL rendering.

Technical Notes: Handoff URLs carry source=scratchnode, room, and an encoded return back to the ScratchNode event URL; the e2e test now enforces these invariants.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

public/proto/home-v5.html:1134 — WORKSPACE_BASE_URL inherits location.protocol when running on nodebenchai.com, which can produce http://... handoff/sign-in URLs if the page is served over HTTP. That can break auth redirects and undermines the intended transport guarantees for the private workspace boundary.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

public/proto/home-v5.html:2413 — sendMagicLink() doesn’t actually attach or compute a return URL, but the toast claims the return target is the NodeBench event notebook. This could mislead users if the magic-link flow returns them elsewhere (or remains a stub).

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[github-actions]

✅ Dogfood Visual QA Gate: PASSED

Check	Status
Screenshots	23 captured (pass)
Walkthrough	9 chapters (pass)
Key Frames	9 extracted (pass)
Scribe Steps	8 how-to steps (pass)
Build	success

Artifacts

Download the dogfood-evidence-30997ed artifact from the Actions tab for full screenshots, frames, and walkthrough video.

---

Generated by Dogfood QA Gate

[HomenShum]

Superseded by CI-compliant branch feat/scratchnode-nodebench-handoff with the same commit; codex/* branch prefix is rejected by the Branch name gate.