Skip to content

release: to prod#1258

Merged
joelorzet merged 4 commits into
prodfrom
staging
May 14, 2026
Merged

release: to prod#1258
joelorzet merged 4 commits into
prodfrom
staging

Conversation

@joelorzet

@joelorzet joelorzet commented May 14, 2026

Copy link
Copy Markdown

Summary

Promote the following merged PRs from staging to prod:

Post-deploy verification

  • deploy-keeperhub workflow finishes green
  • curl -fsS https://app.keeperhub.com/api/health returns 200
  • Smoke-test the surfaces affected by the merged PRs above
  • Watch Sentry / logs for ~10 minutes after the rollout

joelorzet added 2 commits May 14, 2026 16:40
The Dockerfile installed pnpm via 'npm install -g pnpm' which resolves
to the latest tag. pnpm 11.1.2 (published 2026-05-14 11:44 UTC) tightened
overrides validation, causing 'pnpm install --frozen-lockfile' to fail
with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH against the existing
keeperhub-events/pnpm-lock.yaml (generated with pnpm 10).

Pin to pnpm@10 to match the version used to author the lockfile and
the pinning convention already used by the root, sandbox, and
scheduler Dockerfiles.
…e-overrides

hotfix: pin pnpm@10 in event-tracker Dockerfile
eskp and others added 2 commits May 15, 2026 09:03
The MCP route handlers and the /api/* routes they call (execute,
workflow invocation, status, resources) run in the same Next.js
process. They were being called through the public hostname
(NEXT_PUBLIC_APP_URL, app.keeperhub.com), so each internal call
exited the pod to the Cloudflare edge. Once CF's "Block AI Scrapers
and Crawlers" managed challenge was enabled, those pod-to-edge
requests started getting a managed challenge and 403ing tool
execution (execute_contract_call, execute_transfer, etc.).

getBaseUrl returning the public URL is correct for OAuth metadata
documents the client must reach. The defect was reusing that same
value for the server's own internal fetches.

Adds getInternalApiBaseUrl() (in-pod loopback, INTERNAL_API_URL
override) and routes createMcpServer / createWorkflowMcpServer
through it. OAuth-metadata uses of getBaseUrl are unchanged. The
threaded parameter is renamed baseUrl -> internalApiBaseUrl so it
cannot be silently re-wired to the public URL again.
fix: route MCP server-to-server API calls over in-pod loopback
@joelorzet joelorzet merged commit 8859b85 into prod May 14, 2026
38 of 39 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants