fix(kit): ASC 401 in production + stale-toast on Products tab

[hyochan]

Summary

Bundle of post-merge fixes for the kit Products page on top of #127. All driven by real reports — LukasB-DEV on #127, hyochan triage on Hyo Dev / martie.

Fixes

1. ASC API 401 across every production tenant (4037afe)

resolveAscCredentials required both iosAscIssuerId AND iosAscKeyId to flip into the ASC slot. The Settings UI deliberately exposes a single shared Issuer ID input ("Issuer ID is shared with the Server API above — Apple uses one Issuer per team"), so production projects always have iosAscIssuerId = undefined and iosAscKeyId = "<team-key-id>".

Old gate returned false → fallback resolved (iosAppStoreIssuerId, iosAppStoreKeyId) (Server API / In-App Purchase pair) but the .p8 came from getAppleAscApiKey (ASC private key). The JWT was signed with the ASC private key while its kid claim was the Server API key id — Apple rejected every such request with 401:

ASC /v1/apps/{id}/inAppPurchasesV2?limit=200 returned 401:
Provide a properly configured and signed bearer token, and make sure that it has not expired.

Fix: gate on iosAscKeyId alone; issuerId falls back to iosAppStoreIssuerId when the dedicated ASC issuer slot is empty. Legacy single-slot uploads keep working.

2. Stale completion toast on Products tab mount (f290ab1)

The completion toast re-fired every time the operator opened the Products tab when a stale terminal job sat in productSyncJobs. Replaced the in-memory "have I shown this jobId" set with a transition rule: track previous status per platform, only toast on queued|running → succeeded|failed for the same jobId. Fresh observations of an already-terminal job stay silent.

3. Subscription Group section had no closing delimiter (b6dc03c)

groupRowsByHierarchy correctly partitioned Consumables / NonConsumables into ungrouped, but the table rendered them straight after the subscription cluster with no visual delimiter — Consumables looked like part of the subscription group. Added an explicit "Other products" header before the ungrouped section when at least one subscription group renders above.

4. Dev launch.json baked PROD URLs into Hono's static fallback (bdf7c9d)

The kit dev launch booted Vite (5173), Hono (3000), and Convex in parallel. Hono serves the SPA out of ./dist, but bun run build is vite build which defaults to mode=production and loads .env.production AFTER .env.local — so the prod Convex URL won and got baked into every dist/assets/*.js bundle. Visiting localhost:3000 in that state ran the prod GitHub OAuth App and bounced the operator out to kit.openiap.dev — even in incognito, because the redirect target lived in the bundle, not in cookies.

Fix: wipe dist/ + node_modules/.vite, then explicitly rebuild with vite build --mode development so Hono's static fallback ships a bundle pinned to .env.local (dev Convex URL).

5. Kit dev entry on top + colored group headers + session-scoped result banner (c45d1a1)

• Move "🧰 Kit: Dev (Vite + Hono + Convex)" to the top of .vscode/launch.json.
• Group headers in the Products table now use colored backgrounds (blue tint for "Subscription Group · {name}", amber tint for "Other products") with a 4px left accent bar so the section break is unambiguous.
• Result banner + completion toast now gate on a sessionTriggeredJobIdsRef: Set<jobId> populated when the operator clicks Sync / Dry-run / Reset from THIS mount. Stale terminal jobs from a previous session (HMR reload, page revisit, sync triggered in another tab) no longer surface as if they had just run.

6. SSOT for JobStatusSnapshot (13d3154)

Pull jobId / status field types straight off SyncJob (= Doc<"productSyncJobs">) — schema additions in convex/schema.ts automatically widen the local snapshot type instead of silently drifting (Gemini SSOT review).

Test plan

• typecheck / lint / format / 346 vitest — clean across every commit
• smoke:server — green
• After merge: npx convex deploy --prod — schema only adds optional projects.activeSyncJobIds, no migration needed
• After merge: open Products tab on prod with a pre-existing terminal job → no banner / toast on remount; banner only appears for syncs triggered in the active session
• After merge: confirm LukasB-DEV's ASC sync flow on prod

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@hyochan has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 8 minutes and 43 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 21916b29-fbf6-491b-a40b-17f6108c6798

📥 Commits

Reviewing files that changed from the base of the PR and between f290ab1 and 13d3154.

📒 Files selected for processing (3)

• .vscode/launch.json
• packages/kit/convex/products/asc.ts
• packages/kit/src/pages/auth/organization/project/products.tsx

📝 Walkthrough

Walkthrough

The sync-completion toast behavior in the products page is refactored to emit toasts only upon true status transitions. The previous per-jobId-per-mount guard is replaced with a per-platform status snapshot that tracks prior job state and only fires success/failure toasts when a job transitions from queued/running to a terminal state.

Changes

Toast Transition Logic

Layer / File(s)	Summary
Type & State Definition packages/kit/src/pages/auth/organization/project/products.tsx (lines 54–76)	New JobStatusSnapshot type introduced; prevJobStatusRef replaces lastShownJobIdRef to track previous { jobId, status } per platform for transition detection.
Toast Effect Implementation packages/kit/src/pages/auth/organization/project/products.tsx (lines 101–129)	Effect now updates prevJobStatusRef, suppresses toasts on first observation or jobId change, skips dismissed jobs, and requires prior status to be queued or running before emitting terminal-state toast.
Toast Rendering packages/kit/src/pages/auth/organization/project/products.tsx (line 130)	Toast success/failure messages remain functionally unchanged; now reached only under the new transition rules.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• hyodotdev/openiap#127: Prior attempt at the same file modifying lastShownJobIdRef logic for toast completion guards, now replaced by the per-platform status-transition snapshot approach.

Suggested labels

🛠 bugfix

Poem

🐰 A toast to transitions, not every chime,
Per platform we track what came before,
Dismissed and first-seen are no more,
Only real state change earns the chime—
Cleaner, smarter, and right on time! ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	⚠️ Warning	The title 'fix(kit): ASC 401 in production + stale-toast on Products tab' partially addresses the stale-toast issue but mentions 'ASC 401 in production' which is not substantiated in the PR objectives or summary.	Update the title to focus on the main change: 'fix(kit): only toast product-sync result when triggered in this session' or 'fix(kit): prevent stale product-sync toast on Products tab reopen' to accurately reflect the primary fix.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/kit-product-sync-toast-stale

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request refactors the product sync job notification logic to use a state transition model, ensuring that completion toasts only fire when a job moves from a non-terminal to a terminal state. This change prevents redundant notifications when revisiting the page. Feedback was provided to leverage the existing "SyncJob" type for the job status snapshot to ensure consistency with the project's type definitions and adhere to the Single Source of Truth principle.

[coderabbitai]

🧹 Nitpick comments (1)

packages/kit/src/pages/auth/organization/project/products.tsx (1)

67-72: ⚡ Quick win

Use an interface and reuse SyncJob field types for the snapshot.

This new object shape is a better fit for an interface, and jobId/status can stay aligned with the backend type instead of being re-declared here.

♻️ Suggested refactor

-  type JobStatusSnapshot = {
-    jobId: string;
-    status: "queued" | "running" | "succeeded" | "failed";
-  };
+  interface JobStatusSnapshot {
+    jobId: SyncJob["_id"];
+    status: SyncJob["status"];
+  }

As per coding guidelines, **/*.{ts,tsx}: Prefer interface for defining object shapes in TypeScript.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/kit/src/pages/auth/organization/project/products.tsx` around lines
67 - 72, Replace the type alias JobStatusSnapshot with an interface and reuse
the backend SyncJob field types instead of re-declaring them: define interface
JobStatusSnapshot { jobId: SyncJob['id']; status: SyncJob['status']; } and keep
prevJobStatusRef as useRef<Record<'IOS' | 'Android', JobStatusSnapshot | null>>
so the snapshot stays aligned with the SyncJob type and follows the project's
interface preference.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/kit/src/pages/auth/organization/project/products.tsx`:
- Around line 67-72: Replace the type alias JobStatusSnapshot with an interface
and reuse the backend SyncJob field types instead of re-declaring them: define
interface JobStatusSnapshot { jobId: SyncJob['id']; status: SyncJob['status']; }
and keep prevJobStatusRef as useRef<Record<'IOS' | 'Android', JobStatusSnapshot
| null>> so the snapshot stays aligned with the SyncJob type and follows the
project's interface preference.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fae1d3ba-7941-4d59-869b-f61527b99c57

📥 Commits

Reviewing files that changed from the base of the PR and between faae26a and f290ab1.

📒 Files selected for processing (1)

• packages/kit/src/pages/auth/organization/project/products.tsx