Launch-week hosting ops: CORS, Nixpacks, lockfile drift, email domain gate
A cluster of small production-wiring commits from nwhitehouse's launch week. Mostly Vercel + Railway + Supabase-specific fixes, with two reusable patterns: a multi-origin CORS function and a DB-enforced email domain whitelist.
The CORS change is the most broadly useful. The original setup accepted a single FRONTEND_URL env string. The replacement is an origin-function allowlist that covers FRONTEND_URL, any *.vercel.app subdomain (so Vercel preview deploys work automatically), localhost dev ports, and the tryolava.ai apex plus subdomains. A missing entry in the original CORS list was silently turning /user/server-keys into a network error, which caused the frontend to default serverKeys.olava to false and show "API key required" on every chat send - the symptom was far from the cause.
The Nixpacks fix is a common trap: using nixPkgs = ["libreoffice"] replaces Nixpacks's auto-detected build plan rather than extending it, breaking npm ci because Node.js is no longer in the environment. The fix switches to aptPkgs, which is additive.
The email domain whitelist is a BEFORE INSERT trigger on auth.users that rejects emails outside an allowed list (onit.com, mccarthyfinch.com, k1.com). Hard-enforced at the DB, so it applies to direct Supabase API calls and the dashboard - the frontend is covered too, but the trigger is what matters. The frontend mirrors the check client-side for instant feedback, with a code comment noting that the DB trigger is the source of truth.
The dual-lockfile drift is a good cautionary note: canvas@^3.2.3 was added to package.json in the auth-hardening commit but only bun.lock was regenerated. Railway runs npm ci, which failed with "Missing: canvas@3.2.3 from lock file." A follow-up regenerates package-lock.json via npm install --package-lock-only. If your repo uses both bun and npm lockfiles, they will drift silently.
Other commits in this topic are situational: Next.js 16.0.3 → 16.2.4 to clear a Vercel security block, two empty re-trigger commits, and @vercel/analytics in the root layout.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?