Skip to content

audit: /dev/preview is publicly served on production #34

Description

@tkowalczyk

Evidence

curl -s -o /dev/null -w '%{http_code}' https://ogsfrompoly.com/dev/preview200 (verified 2026-06-12).

src/pages/dev/preview.astro is an internal brand-primitives fixture page ("Internal preview of Phase 2 brand primitives") with hardcoded fake numbers (hitRate 0.6428, +$2,143, fixture statement cards titled "Weekly statement · May 25 → 31"). With output: "server" every page ships; there is no middleware or env guard. Risks: crawlers/LLMs index fake performance numbers on the credibility domain; the fixture cards link to statement slugs that 404.

TDD plan (failing tests first)

Pages are excluded from vitest, so put the decision in a testable helper:

  1. src/lib/preview-gate/preview-gate.ts exporting isPreviewEnabled(cloudflareEnv: string | undefined): boolean — true only for "dev" (and decide: staging?).
  2. Tests FIRST: "dev" → true, "staging" → per decision, "production" → false, undefined → false, "PRODUCTION" → false (case handling explicit).
  3. In dev/preview.astro frontmatter: if (!isPreviewEnabled(env.CLOUDFLARE_ENV)) return new Response("Not Found", { status: 404 }); (same pattern the draft fence uses in [...slug].astro).

Alternative considered: delete the page (it duplicates what Storybook-style tooling would do). Keeping it gated is fine; deleting is also acceptable — implementer's choice, gate is the cheaper diff.

Acceptance criteria

AC Test
isPreviewEnabled truth table unit
Production returns 404 for /dev/preview curl after deploy
Dev keeps working preview pnpm dev manual check

Metadata

Metadata

Assignees

No one assigned

    Labels

    afkAgent-grabbable: implementable without further inputbugSomething isn't working

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions