Skip to content

chore(launch): web tsc CI gate + klorn.ai redirects + App Links scaffold#730

Merged
k08200 merged 1 commit into
mainfrom
chore/launch-hygiene
Jul 4, 2026
Merged

chore(launch): web tsc CI gate + klorn.ai redirects + App Links scaffold#730
k08200 merged 1 commit into
mainfrom
chore/launch-hygiene

Conversation

@k08200

@k08200 k08200 commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Summary

Three independent, low-risk launch-hygiene items (A1–A3):

A1 — web typecheck in CI. The TypeScript job only gated packages/api + packages/core; a broken packages/web tsc (missing @capacitor/app types) slipped through on 2026-07-03 and was only caught locally. Adds Typecheck Web to the same job.

A2 — klorn.ai/privacy + /terms redirects. The marketing host (GitHub Pages) 404'd both paths — the real pages live on app.klorn.ai. Adds redirect pages (canonical link + meta refresh + JS location.replace, noindex). The OAuth consent form already points at app.klorn.ai/privacy; this is hygiene for humans typing the short URL.

A3 — Android App Links scaffold (OAuth hardening; documented residual in OAUTH_RELAY.md: custom schemes are hijackable by a co-resident app):

  • website/.well-known/assetlinks.json for ai.klorn.app, carrying the debug cert SHA256 (extracted from the dev machine's debug keystore — verified App Links work on debug builds immediately). The release-keystore fingerprint step is documented in STORE_SUBMISSION.md.
  • AndroidManifest: autoVerify https intent-filter for klorn.ai/oauth-native next to the existing scheme filter (which keeps working). Dormant until the relay targets the https path; a browser fallback page exists at website/oauth-native/.

security-reviewer pass: SAFE, 0 findings — cert fingerprints are public-by-design (Digital Asset Links requires unauthenticated hosting); verification is exact-match per (package, fingerprint) so no cross-key benefit; redirect pages have no query passthrough (no open redirect); CI change adds no permissions/secrets.

Type

chore (CI gate) + fix (dead marketing URLs) + feat scaffold (App Links)

Checklist

  • All three independent; no app-logic change; scheme-based relay untouched
  • ci.yml YAML parsed, AndroidManifest XML parsed, assetlinks JSON parsed
  • English copy; no Co-Authored-By

Test plan

  • CI on this PR itself exercises the new web typecheck step
  • After merge (gh-pages deploy): klorn.ai/privacy + /terms redirect to app.klorn.ai; klorn.ai/.well-known/assetlinks.json serves JSON
  • Debug build on a device: adb shell pm get-app-links ai.klorn.app shows klorn.ai verified

…ks scaffold

A1 - CI: add packages/web typecheck to the TypeScript job. A broken web tsc
slipped through on 2026-07-03 because only api+core were gated.

A2 - klorn.ai/privacy and /terms were 404 on the marketing host (GitHub
Pages has no such paths; the real pages live on app.klorn.ai). Add redirect
pages (canonical + meta refresh + JS replace, noindex).

A3 - OAuth App Links hardening scaffold (documented residual: custom
schemes are hijackable by a co-resident app):
- website/.well-known/assetlinks.json with the DEBUG cert SHA256 (verifies
  on debug builds now); release keystore fingerprint step documented in
  STORE_SUBMISSION.md.
- AndroidManifest: autoVerify https intent-filter for klorn.ai/oauth-native,
  alongside the existing (still-working) scheme filter. Dormant until the
  relay redirects to the https path; browser fallback page included.

security-reviewer: SAFE (0 findings; debug fingerprint is public-by-design).
@vercel

vercel Bot commented Jul 4, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
klorn-web Ready Ready Preview, Comment Jul 4, 2026 6:07am

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

🌊 Ripple — 이 PR의 변경 영향

이 PR 의 변경이 다른 코드의 계약(시그니처·스키마·라우트)을 깨지 않습니다. ✅

@k08200 k08200 merged commit 5348b32 into main Jul 4, 2026
12 checks passed
@k08200 k08200 deleted the chore/launch-hygiene branch July 4, 2026 06:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant