chore(launch): web tsc CI gate + klorn.ai redirects + App Links scaffold#730
Merged
Conversation
…ks scaffold A1 - CI: add packages/web typecheck to the TypeScript job. A broken web tsc slipped through on 2026-07-03 because only api+core were gated. A2 - klorn.ai/privacy and /terms were 404 on the marketing host (GitHub Pages has no such paths; the real pages live on app.klorn.ai). Add redirect pages (canonical + meta refresh + JS replace, noindex). A3 - OAuth App Links hardening scaffold (documented residual: custom schemes are hijackable by a co-resident app): - website/.well-known/assetlinks.json with the DEBUG cert SHA256 (verifies on debug builds now); release keystore fingerprint step documented in STORE_SUBMISSION.md. - AndroidManifest: autoVerify https intent-filter for klorn.ai/oauth-native, alongside the existing (still-working) scheme filter. Dormant until the relay redirects to the https path; browser fallback page included. security-reviewer: SAFE (0 findings; debug fingerprint is public-by-design).
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🌊 Ripple — 이 PR의 변경 영향이 PR 의 변경이 다른 코드의 계약(시그니처·스키마·라우트)을 깨지 않습니다. ✅ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three independent, low-risk launch-hygiene items (A1–A3):
A1 — web typecheck in CI. The TypeScript job only gated
packages/api+packages/core; a brokenpackages/webtsc (missing@capacitor/apptypes) slipped through on 2026-07-03 and was only caught locally. AddsTypecheck Webto the same job.A2 — klorn.ai/privacy + /terms redirects. The marketing host (GitHub Pages) 404'd both paths — the real pages live on
app.klorn.ai. Adds redirect pages (canonical link + meta refresh + JSlocation.replace,noindex). The OAuth consent form already points atapp.klorn.ai/privacy; this is hygiene for humans typing the short URL.A3 — Android App Links scaffold (OAuth hardening; documented residual in
OAUTH_RELAY.md: custom schemes are hijackable by a co-resident app):website/.well-known/assetlinks.jsonforai.klorn.app, carrying the debug cert SHA256 (extracted from the dev machine's debug keystore — verified App Links work on debug builds immediately). The release-keystore fingerprint step is documented inSTORE_SUBMISSION.md.AndroidManifest:autoVerifyhttps intent-filter forklorn.ai/oauth-nativenext to the existing scheme filter (which keeps working). Dormant until the relay targets the https path; a browser fallback page exists atwebsite/oauth-native/.security-reviewer pass: SAFE, 0 findings — cert fingerprints are public-by-design (Digital Asset Links requires unauthenticated hosting); verification is exact-match per (package, fingerprint) so no cross-key benefit; redirect pages have no query passthrough (no open redirect); CI change adds no permissions/secrets.
Type
chore (CI gate) + fix (dead marketing URLs) + feat scaffold (App Links)
Checklist
Test plan
klorn.ai/privacy+/termsredirect to app.klorn.ai;klorn.ai/.well-known/assetlinks.jsonserves JSONadb shell pm get-app-links ai.klorn.appshows klorn.ai verified