experiments in a post-browser web
security: remove hardcoded prod URLs, require env config
+20
-11
+1
-1
AGENTS.md
+1
-1
AGENTS.md
···
9
9
**Railway (Server Deployment):**
10
10
- Project: `amusing-courtesy`
11
11
- Service: `peek-node`
12
-
- URL: `https://peek-node.up.railway.app`
12
+
- URL: (set in .env as PEEK_PROD_URL)
13
13
- Link command: `cd backend/server && railway link -p amusing-courtesy`
14
14
- Deploy: `cd backend/server && railway up -d`
15
15
- Logs: `railway logs -n 50`
+1
-1
DEVELOPMENT.md
+1
-1
DEVELOPMENT.md
+1
-1
TODO.md
+1
-1
TODO.md
···
13
13
Today
14
14
- [~][release] build and deploy release versions of desktop, ios, and server
15
15
- [ ][workflow] agents need policy to never read outside workspace; spawned explore agents don't inherit policies
16
-
- [ ][security] remove production server endpoint from source - should only be in .env files or user-entered
17
16
18
17
Later
19
18
- [ ][desktop] access to notes on filesystem, syncing them as markdown files in ~/sync/Notes/peek
···
472
471
473
472
### 2026-W04
474
473
474
+
- [x][security] remove production server endpoint from source - should only be in .env files or user-entered
475
475
- [x][desktop] fix groups extension - add visit tracking, filter for URLs only
476
476
- [x][workflow] fix TODO archival - updated agent templates with clearer instructions
477
477
- [x][workflow] clarify ./app rule - now about respecting front-end/back-end architecture boundary
+2
-2
backend/electron/sync.ts
+2
-2
backend/electron/sync.ts
···
103
103
// If query fails, fall through to defaults
104
104
}
105
105
106
-
// Fall back to env var or default
107
-
return process.env.SYNC_SERVER_URL || 'https://peek-node.up.railway.app';
106
+
// Fall back to env var (empty string disables sync)
107
+
return process.env.SYNC_SERVER_URL || '';
108
108
}
109
109
110
110
/**
+1
-1
backend/server/.env.example
+1
-1
backend/server/.env.example
+7
-1
backend/server/test-api.js
+7
-1
backend/server/test-api.js
···
24
24
BASE_URL = "http://localhost:3000";
25
25
API_KEY = process.env.PEEK_LOCAL_KEY;
26
26
} else if (isProd) {
27
-
BASE_URL = process.env.PEEK_PROD_URL || "https://peek-node.up.railway.app";
27
+
BASE_URL = process.env.PEEK_PROD_URL;
28
28
API_KEY = process.env.PEEK_PROD_KEY;
29
29
} else {
30
30
// Fallback to legacy env vars for backwards compatibility
31
31
BASE_URL = process.env.BASE_URL || "http://localhost:3000";
32
32
API_KEY = process.env.API_KEY;
33
+
}
34
+
35
+
if (isProd && !BASE_URL) {
36
+
console.error("ERROR: PEEK_PROD_URL not set for production tests");
37
+
console.error("Set PEEK_PROD_URL in .env or environment");
38
+
process.exit(1);
33
39
}
34
40
35
41
if (!API_KEY) {
+7
-4
backend/tests/sync-e2e-prod.test.js
+7
-4
backend/tests/sync-e2e-prod.test.js
···
25
25
const __dirname = dirname(fileURLToPath(import.meta.url));
26
26
27
27
// Configuration from environment
28
-
const PROD_URL = process.env.PEEK_PROD_URL || 'https://peek-node.up.railway.app';
28
+
const PROD_URL = process.env.PEEK_PROD_URL;
29
29
const PROD_KEY = process.env.PEEK_PROD_KEY;
30
30
31
31
// Test marker for this run - used for identification and cleanup
···
436
436
console.log('');
437
437
438
438
// Check for required env vars
439
-
if (!PROD_KEY) {
440
-
console.error('ERROR: PEEK_PROD_KEY environment variable is required');
439
+
if (!PROD_URL || !PROD_KEY) {
440
+
console.error('ERROR: Required environment variables missing');
441
+
if (!PROD_URL) console.error(' - PEEK_PROD_URL not set');
442
+
if (!PROD_KEY) console.error(' - PEEK_PROD_KEY not set');
441
443
console.error('');
442
-
console.error('Set it with:');
444
+
console.error('Set them with:');
445
+
console.error(' export PEEK_PROD_URL=https://your-server.railway.app');
443
446
console.error(' export PEEK_PROD_KEY=your-api-key');
444
447
console.error('');
445
448
process.exit(1);