i fucked up huuuh

.beads/issues.jsonl

@@ -1,3 +1,5 @@
+{"_type":"issue","id":"islandflow-vnq","title":"Fix deploy verification for same-origin host","description":"Remove the hardcoded separate API host assumption from deployment tooling and docs. Make deploy verification and documentation match the current flow.deltaisland.io setup, using same-origin verification where appropriate instead of forcing api.flow.deltaisland.io.\n","status":"closed","priority":1,"issue_type":"bug","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-05-08T11:34:49Z","created_by":"dirtydishes","updated_at":"2026-05-08T11:37:35Z","started_at":"2026-05-08T11:35:37Z","closed_at":"2026-05-08T11:37:35Z","close_reason":"Completed","dependency_count":0,"dependent_count":0,"comment_count":0}
+{"_type":"issue","id":"islandflow-762","title":"Fix public API hostname TLS/proxy path","description":"Debug and fix the public API hostname so https://api.flow.deltaisland.io/health works again. Determine whether the failure is in Cloudflare, Nginx Proxy Manager, DNS, or the API proxy host definition, then apply the smallest safe fix and verify the public endpoint.\n","status":"in_progress","priority":1,"issue_type":"bug","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-05-08T11:21:41Z","created_by":"dirtydishes","updated_at":"2026-05-08T11:21:52Z","started_at":"2026-05-08T11:21:52Z","dependency_count":0,"dependent_count":0,"comment_count":0}
 {"_type":"issue","id":"islandflow-33c","title":"Investigate public API TLS handshake failure","description":"Investigate the public TLS handshake failure on https://api.flow.deltaisland.io/health. After the compose network fix, the app host is healthy and nginx-proxy-manager can reach islandflow-vps-api-1 internally, but both local and server-side HTTPS requests to api.flow.deltaisland.io fail during TLS handshake at the public edge. This likely needs proxy or Cloudflare inspection outside the app stack.\n","status":"open","priority":1,"issue_type":"task","owner":"dishes@dpdrm.com","created_at":"2026-05-08T11:13:36Z","created_by":"dirtydishes","updated_at":"2026-05-08T11:13:36Z","dependency_count":0,"dependent_count":0,"comment_count":0}
 {"_type":"issue","id":"islandflow-xsi","title":"Fix deploy precheck shell pattern generation","description":"Fix the deploy precheck shell-pattern generation introduced while allowing known untracked server paths. The generated remote bash case statement needs a valid combined pattern so ./deploy main can complete on the live server.\n","status":"closed","priority":1,"issue_type":"bug","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-05-08T11:11:37Z","created_by":"dirtydishes","updated_at":"2026-05-08T11:12:02Z","started_at":"2026-05-08T11:11:53Z","closed_at":"2026-05-08T11:12:02Z","close_reason":"Completed","dependency_count":0,"dependent_count":0,"comment_count":0}
 {"_type":"issue","id":"islandflow-kda","title":"Fix production compose shared-network topology","description":"Restore the production Docker topology so the merged deploy workflow actually matches the live proxy setup. Update deployment/docker/docker-compose.yml on the working branch so web and api attach to the shared npm-shared network instead of relying on loopback host port bindings, then validate the compose config and document any rollout implications.\n","status":"closed","priority":1,"issue_type":"bug","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-05-08T11:08:48Z","created_by":"dirtydishes","updated_at":"2026-05-08T11:10:46Z","started_at":"2026-05-08T11:09:02Z","closed_at":"2026-05-08T11:10:46Z","close_reason":"Completed","dependency_count":0,"dependent_count":0,"comment_count":0}

deployment/docker/.env.example

@@ -15,11 +15,11 @@ API_DELIVER_POLICY=new
 API_CONSUMER_RESET=false
 
 # Public web build target:
-# - Set NEXT_PUBLIC_API_URL=https://api.example.com when an external proxy
-#   or load balancer serves the API on a distinct origin.
 # - Leave NEXT_PUBLIC_API_URL empty to use same-origin mode and proxy API
-#   paths to the published API host port yourself.
+#   paths from flow.deltaisland.io to the API container yourself.
-NEXT_PUBLIC_API_URL=https://api.example.com
+# - Set NEXT_PUBLIC_API_URL=https://api.example.com only when an external
+#   proxy or load balancer serves the API on a distinct origin.
+NEXT_PUBLIC_API_URL=
 NEXT_PUBLIC_NBBO_MAX_AGE_MS=1000
 
 # Options ingest

deployment/docker/README.md

@@ -52,8 +52,8 @@ Important defaults:
 - `OPTIONS_INGEST_ADAPTER=synthetic` and `EQUITIES_INGEST_ADAPTER=synthetic` are the safest first-boot settings.
 - `WEB_BIND_IP=127.0.0.1` and `API_BIND_IP=127.0.0.1` keep the published ports local to the host by default.
 - `WEB_HOST_PORT=3000` and `API_HOST_PORT=4000` control the host-side published ports.
+- `NEXT_PUBLIC_API_URL=` (empty, the default in `.env.example`) fits same-origin mode where your edge layer proxies API paths from the app origin to the API host port.
 - `NEXT_PUBLIC_API_URL=https://api.example.com` fits a two-origin setup where the browser reaches the API on a separate public origin.
-- `NEXT_PUBLIC_API_URL=` (empty) fits same-origin mode where your edge layer proxies API paths from the app origin to the API host port.
 
 3. Build and start the stack:
 
@@ -249,9 +249,16 @@ If the live checkout is on a branch deploy and you want normal production tracki
 The helper always does the final public verification against:
 
 - `https://flow.deltaisland.io`
-- `https://api.flow.deltaisland.io/health`
 
-Those checks assume your current edge routing already forwards those domains to the host ports published by this stack.
+It also verifies API health from inside the `api` container during the remote verification step.
+
+If you intentionally run a separate public API origin, add an extra public API check by exporting `DEPLOY_PUBLIC_API_HEALTH_URL` before running the deploy:
+
+```bash
+DEPLOY_PUBLIC_API_HEALTH_URL=https://api.example.com/health ./deploy main
+```
+
+Same-origin deployments should leave that unset unless the edge layer exposes a public API health route on purpose.
 
 ## Manual server fallback
 

scripts/deploy.ts

@@ -18,8 +18,8 @@ const ALLOWED_REMOTE_UNTRACKED = new Set([
 ]);
 const API_CONTAINER = "islandflow-vps-api-1";
 const WEB_CONTAINER = "islandflow-vps-web-1";
-const PUBLIC_APP_URL = "https://flow.deltaisland.io";
+const PUBLIC_APP_URL = process.env.DEPLOY_PUBLIC_APP_URL?.trim() || "https://flow.deltaisland.io";
-const PUBLIC_API_HEALTH_URL = "https://api.flow.deltaisland.io/health";
+const PUBLIC_API_HEALTH_URL = process.env.DEPLOY_PUBLIC_API_HEALTH_URL?.trim() || null;
 const LOG_SERVICES = ["api", "web", "compute", "candles", "ingest-options", "ingest-equities"];
 
 const scriptPath = fileURLToPath(import.meta.url);
@@ -37,7 +37,11 @@ Modes:
 
 Options:
   --force-recreate  Escalation path for docker compose when a normal refresh is not enough.
-  --help            Show this help text.`);
+  --help            Show this help text.
+
+Environment:
+  DEPLOY_PUBLIC_APP_URL         Override the public app URL (default: https://flow.deltaisland.io).
+  DEPLOY_PUBLIC_API_HEALTH_URL  Optional separate public API health URL for two-origin deployments.`);
   process.exit(exitCode);
 }
 
@@ -260,7 +264,15 @@ docker exec ${WEB_CONTAINER} bun -e 'const r = await fetch("http://127.0.0.1:300
 function publicVerification(): void {
   section("Public Verification");
   runChecked("curl", ["-I", "-fksS", PUBLIC_APP_URL]);
+
+  if (PUBLIC_API_HEALTH_URL) {
     runChecked("curl", ["-fksS", PUBLIC_API_HEALTH_URL]);
+    return;
+  }
+
+  console.log(
+    "Skipping separate public API health check; same-origin mode relies on the public app check plus container-local API verification."
+  );
 }
 
 function shellEscape(value: string): string {