refactor: replaces server side turnstile config provision with injected config

[stalniy]

Why

Because the approach with page route interception is too slow. It currently adds +30secs to page load time (the first paint happens in 30secs after navigation). Probably due to big amount of external requests.

What

Provides config via injected global variable with signed signature to ensure that nobody else except of us can inject config and overwrite turnstile configuration.

Summary by CodeRabbit

• New Features

  • Added support for cryptographically signed UI configuration injection in the browser, enhancing configuration verification and security.
  • Introduced new environment variables for public key configuration in production and staging environments.

• Bug Fixes

  • Updated environment variable handling and removed legacy API endpoints and services related to Turnstile site key management.

• Refactor

  • Simplified the Turnstile component to require explicit props for configuration.
  • Streamlined Playwright test setup to use signed config injection instead of token-based headers.
  • Updated Playwright test configuration for improved video recording and reduced timeout.
  • Modified main app to asynchronously decode and apply injected configuration with loading state.

• Chores

  • Upgraded Playwright test dependency to the latest version.
  • Minor environment file formatting improvements.

[coderabbitai]

Walkthrough

This update refactors the mechanism for injecting and verifying UI configuration, particularly for Turnstile site key handling and UI tests. It replaces header-based token injection with cryptographically signed configuration using RSA keys. The codebase removes related API endpoints, services, and hooks, updates Playwright test fixtures, and introduces new environment variables and config decoding logic. Associated workflow and environment files are adjusted accordingly.

Changes

File(s)	Change Summary
.github/actions/console-web-ui-testing/action.yml, .github/workflows/console-web-release.yml	Replaced ui-tests-token-name with ui-config-signature-private-key input/secret in GitHub Actions and workflows; removed Doppler CLI and token retrieval steps.
apps/deploy-web/env/.env.production, apps/deploy-web/env/.env.staging	Added NEXT_PUBLIC_UI_CONFIG_PUBLIC_KEY (RSA public key) for production and staging environments.
apps/deploy-web/env/.env.sample	Added a newline at the end of the file.
apps/deploy-web/package.json	Updated @playwright/test from ^1.45.0 to ^1.52.0.
apps/deploy-web/playwright.config.ts	Reduced test timeout to 30s; enabled video recording on test failure.
apps/deploy-web/src/components/turnstile/Turnstile.tsx	Refactored to require explicit enabled and siteKey props; removed config fetching and internal defaults.
apps/deploy-web/src/config/browser-env.config.ts	Added BrowserEnvConfig type alias.
apps/deploy-web/src/config/env-config.schema.ts	Removed TURNSTILE_TEST_SITE_KEY and UI_TESTS_TOKEN from server environment schema.
apps/deploy-web/src/pages/_app.tsx	On mount, decodes injected config and controls Turnstile rendering based on decoded or default config; shows loading indicator while resolving.
apps/deploy-web/src/pages/api/config.ts	Deleted API route for serving Turnstile site key based on token.
apps/deploy-web/src/queries/useAppConfig.ts	Deleted hook for fetching remote app config.
apps/deploy-web/src/services/config/config.service.ts	Deleted config service and related types.
apps/deploy-web/src/services/http-factory/http-factory.service.ts	Removed config service factory from service container.
apps/deploy-web/src/services/decodeInjectedConfig/decodeInjectedConfig.ts	Added decodeInjectedConfig function to verify and decode signed injected config using RSA public key.
apps/deploy-web/src/services/decodeInjectedConfig/decodeInjectedConfig.spec.ts	Added test suite for decodeInjectedConfig function covering various verification and decoding scenarios.
apps/deploy-web/tests/fixture/base-test.ts	Replaced header-based UI tests token injection with RSA-signed config injection into page context for Playwright tests.
apps/deploy-web/tests/fixture/context-with-extension.ts	Updated to use new injectUIConfig instead of addUITestsToken in test setup.
apps/deploy-web/tests/fixture/test-env.config.ts	Replaced UI_TESTS_TOKEN with UI_CONFIG_SIGNATURE_PRIVATE_KEY in test environment schema and config.
apps/deploy-web/tests/pages/DeployBasePage.tsx	Fixed import path for test environment config.

Sequence Diagram(s)

sequenceDiagram
    participant TestRunner as Playwright Test Runner
    participant Page as Browser Page
    participant App as Next.js App
    participant Window as window object

    TestRunner->>Page: injectUIConfig()
    Note right of Page: Generate signed config with private key
    Page->>Window: Set window.__SIGNED_UI_CONFIG
    Page->>App: Load application
    App->>Window: Read window.__SIGNED_UI_CONFIG
    App->>App: decodeInjectedConfig() with public key
    App-->>App: If verified, use decoded config
    App->>App: Render Turnstile with config

Loading

Poem

🐇
A hop, a skip, a cryptic key,
No more tokens sent by me!
Now configs signed, with keys so bright,
The Turnstile shines in RSA light.
Tests leap forward, swift and strong—
Secure and nimble, we hop along!

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

npm warn config production Use --omit=dev instead.
npm error Exit handler never called!
npm error This is an error with npm itself. Please report this error at:
npm error https://github.com/npm/cli/issues
npm error A complete log of this run can be found in: /.npm/_logs/2025-05-23T02_31_30_550Z-debug-0.log

Note

⚡️ AI Code Reviews for VS Code, Cursor, Windsurf

CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
Learn more here.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6cd3201 and 520ae7d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (21)

• .github/actions/console-web-ui-testing/action.yml (3 hunks)
• .github/workflows/console-web-release.yml (1 hunks)
• apps/deploy-web/env/.env.production (1 hunks)
• apps/deploy-web/env/.env.sample (1 hunks)
• apps/deploy-web/env/.env.staging (1 hunks)
• apps/deploy-web/package.json (1 hunks)
• apps/deploy-web/playwright.config.ts (1 hunks)
• apps/deploy-web/src/components/turnstile/Turnstile.tsx (3 hunks)
• apps/deploy-web/src/config/browser-env.config.ts (1 hunks)
• apps/deploy-web/src/config/env-config.schema.ts (1 hunks)
• apps/deploy-web/src/pages/_app.tsx (4 hunks)
• apps/deploy-web/src/pages/api/config.ts (0 hunks)
• apps/deploy-web/src/queries/useAppConfig.ts (0 hunks)
• apps/deploy-web/src/services/config/config.service.ts (0 hunks)
• apps/deploy-web/src/services/decodeInjectedConfig/decodeInjectedConfig.spec.ts (1 hunks)
• apps/deploy-web/src/services/decodeInjectedConfig/decodeInjectedConfig.ts (1 hunks)
• apps/deploy-web/src/services/http-factory/http-factory.service.ts (0 hunks)
• apps/deploy-web/tests/fixture/base-test.ts (1 hunks)
• apps/deploy-web/tests/fixture/context-with-extension.ts (3 hunks)
• apps/deploy-web/tests/fixture/test-env.config.ts (1 hunks)
• apps/deploy-web/tests/pages/DeployBasePage.tsx (1 hunks)

💤 Files with no reviewable changes (4)

• apps/deploy-web/src/services/config/config.service.ts
• apps/deploy-web/src/pages/api/config.ts
• apps/deploy-web/src/services/http-factory/http-factory.service.ts
• apps/deploy-web/src/queries/useAppConfig.ts

✅ Files skipped from review due to trivial changes (2)

• apps/deploy-web/tests/pages/DeployBasePage.tsx
• apps/deploy-web/src/components/turnstile/Turnstile.tsx

🚧 Files skipped from review as they are similar to previous changes (15)

• apps/deploy-web/env/.env.sample
• apps/deploy-web/package.json
• apps/deploy-web/src/config/browser-env.config.ts
• .github/workflows/console-web-release.yml
• apps/deploy-web/tests/fixture/context-with-extension.ts
• apps/deploy-web/env/.env.production
• apps/deploy-web/tests/fixture/test-env.config.ts
• apps/deploy-web/src/config/env-config.schema.ts
• apps/deploy-web/src/pages/_app.tsx
• apps/deploy-web/src/services/decodeInjectedConfig/decodeInjectedConfig.ts
• .github/actions/console-web-ui-testing/action.yml
• apps/deploy-web/env/.env.staging
• apps/deploy-web/tests/fixture/base-test.ts
• apps/deploy-web/src/services/decodeInjectedConfig/decodeInjectedConfig.spec.ts
• apps/deploy-web/playwright.config.ts

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: test-deploy-web-build

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

Attention: Patch coverage is 53.12500% with 15 lines in your changes missing coverage. Please review.

Project coverage is 33.96%. Comparing base (2a9e6ec) to head (520ae7d).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
apps/deploy-web/src/pages/_app.tsx	0.00%	11 Missing and 1 partial ⚠️
.../deploy-web/src/components/turnstile/Turnstile.tsx	0.00%	1 Missing and 1 partial ⚠️
...vices/decodeInjectedConfig/decodeInjectedConfig.ts	94.44%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1353      +/-   ##
==========================================
+ Coverage   33.90%   33.96%   +0.06%     
==========================================
  Files         798      796       -2     
  Lines       19415    19418       +3     
  Branches     3601     3604       +3     
==========================================
+ Hits         6582     6595      +13     
+ Misses      12245    12234      -11     
- Partials      588      589       +1     

Flag	Coverage Δ		*Carryforward flag
api	64.23% <ø> (ø)		Carriedforward from 2a9e6ec
deploy-web	13.39% <53.12%> (+0.10%)	⬆️
notifications	87.66% <ø> (ø)		Carriedforward from 2a9e6ec
provider-proxy	80.09% <ø> (ø)		Carriedforward from 2a9e6ec

*This pull request uses carry forward flags. Click here to find out more.

Files with missing lines	Coverage Δ
apps/deploy-web/src/config/browser-env.config.ts	100.00% <ø> (ø)
apps/deploy-web/src/config/env-config.schema.ts	58.33% <ø> (ø)
.../src/services/http-factory/http-factory.service.ts	85.71% <ø> (-0.96%)	⬇️
...vices/decodeInjectedConfig/decodeInjectedConfig.ts	94.44% <94.44%> (ø)
.../deploy-web/src/components/turnstile/Turnstile.tsx	0.00% <0.00%> (ø)
apps/deploy-web/src/pages/_app.tsx	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 5

🔭 Outside diff range comments (2)

apps/deploy-web/env/.env.sample (1)

53-54: 🛠️ Refactor suggestion

Update template with new UI config public key variable.

The .env.sample only adds a newline after UNLEASH_SERVER_API_TOKEN= but doesn’t reflect the newly introduced NEXT_PUBLIC_UI_CONFIG_PUBLIC_KEY. It’s helpful to include a commented placeholder in the sample to guide setup:

 UNLEASH_SERVER_API_TOKEN=
+
+# NEXT_PUBLIC_UI_CONFIG_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\n...your PEM key here...\n-----END PUBLIC KEY-----"

apps/deploy-web/src/components/turnstile/Turnstile.tsx (1)

52-99: 🛠️ Refactor suggestion

Security consideration with fetch interception

The code intercepts fetch calls to handle Turnstile challenges, but the implementation doesn't verify the origin of requests, which could potentially lead to security issues with CSRF attacks.

Consider adding origin verification when intercepting fetch calls:

window.fetch = async (...args) => {
  let response = await originalFetch(...args);

-  if (typeof args[0] === "string" && args[0].startsWith("/") && response.status > 400 && turnstileRef.current) {
+  if (typeof args[0] === "string" && 
+      args[0].startsWith("/") && 
+      response.status > 400 && 
+      turnstileRef.current && 
+      (!document.referrer || new URL(document.referrer).origin === window.location.origin)) {
    turnstileRef.current?.remove();
    turnstileRef.current?.render();
    turnstileRef.current?.execute();

🧹 Nitpick comments (10)

apps/deploy-web/env/.env.staging (1)

36-46: Ensure PEM key is loaded correctly in staging.

As in production, the multi-line NEXT_PUBLIC_UI_CONFIG_PUBLIC_KEY may not parse with default dotenv behavior. Please verify that staging builds and the browser can read this key. If parsing fails, consider using a single-line, escaped \n format or base64 encoding.

.github/actions/console-web-ui-testing/action.yml (2)

50-50: Ensure the private key is masked in logs

UI_CONFIG_SIGNATURE_PRIVATE_KEY is exported to the shell environment.
Although GitHub masks secrets, any echo or logging inside the test commands will dump the key verbatim.
For extra safety, add:

env:
  UI_CONFIG_SIGNATURE_PRIVATE_KEY: ${{ secrets.ui-config-signature-private-key }}
  # Prevent accidental echo
  ACTIONS_STEP_DEBUG: false

or move the key to a file in $RUNNER_TEMP and reference it from the test code to avoid accidental exposure.

---

81-81: Debug statement risks leaking sensitive data

console.dir(pr, { depth: null }) prints the full pull-request payload, including labels and potentially secret-scoped data (in private repos).
Consider removing or wrapping it with core.debug so it only shows up when ACTIONS_STEP_DEBUG=true.

apps/deploy-web/src/pages/_app.tsx (3)

58-65: Loss of first paint while waiting for config

Rendering a full-page Loading… spinner blocks hydration until decodeInjectedConfig resolves, even though the fallback browserEnvConfig is already available.

A less jarring UX is to render immediately with the fallback and update once the promise settles:

-  const [isResolvedConfig, setIsResolvedConfig] = useState(false);
+  const [isResolvedConfig, setIsResolvedConfig] = useState(true); // render immediately

-  if (!isResolvedConfig) {
-    return <Loading text="Loading config..." />;
-  }

and keep enabled / siteKey wrapped in the same fallback logic.
This eliminates an extra paint and noticeably reduces the perceived TTI.

---

61-65: Swallowing verification errors hides mis-configuration

decodeInjectedConfig() errors are ignored. If signature verification fails you silently fall back to defaults, which masks both security and CI mistakes.

  useEffect(() => {
    decodeInjectedConfig()
-      .then(setConfig)
-      .finally(() => setIsResolvedConfig(true));
+      .then(setConfig)
+      .catch(err => {
+        console.error("Injected UI config verification failed:", err);
+      })
+      .finally(() => setIsResolvedConfig(true));
  }, []);

Surfacing the error (even only in dev / test) will shorten debugging cycles.

---

73-76: Type-safety: guard against undefined booleans

config?.NEXT_PUBLIC_TURNSTILE_ENABLED may be undefined, which results in React passing enabled={undefined}.
If ClientOnlyTurnstile expects a strict boolean, wrap it:

enabled={Boolean(config?.NEXT_PUBLIC_TURNSTILE_ENABLED ?? browserEnvConfig.NEXT_PUBLIC_TURNSTILE_ENABLED)}

Avoids React warnings and prevents accidental prop type coercion.

apps/deploy-web/tests/fixture/base-test.ts (2)

34-49: Delimiter collision: JSON may legally contain .

The signed payload is concatenated as <json>.<signature>.
If future config fields include a dot (e.g., version strings "1.2.3"), decodeInjectedConfig may split at the wrong place.

To future-proof:

-const result = `${serializedConfig}.${sigBase64}`;
+const result = `${Buffer.from(serializedConfig).toString("base64url")}.${sigBase64}`;

Base-64-encoding the JSON removes delimiter ambiguity and slightly shrinks the payload size.

---

51-63: Node compatibility: rely on a stable Crypto import

crypto.subtle is only globally available from Node 20.
Pinning to it silently breaks CI images pinned to LTS-18.

-importPrivateKey
+import { webcrypto as crypto } from "node:crypto";

or gate with:

const subtle = (globalThis.crypto ?? crypto).subtle;

Ensures the tests run on both 18 & 20.

apps/deploy-web/src/config/browser-env.config.ts (2)

44-44: Type definition might cause confusion with existing schema-based type

There appears to be a potential naming conflict or duplication with another BrowserEnvConfig type defined in env-config.schema.ts (which is derived from a Zod schema). Consider renaming this type or consolidating the types to avoid confusion.

-export type BrowserEnvConfig = typeof browserEnvConfig;
+export type RuntimeBrowserEnvConfig = typeof browserEnvConfig;

---

46-70: Secure implementation of config verification

The implementation correctly uses Web Crypto API with RSASSA-PKCS1-v1_5 and SHA-256 for signature verification. The function properly handles error cases by returning null when verification fails or required components are missing.

However, there's a potential issue with error handling. The function silently returns null without logging any failures, which might make debugging difficult in production.

Consider adding logging for verification failures (especially in non-production environments):

  if (!isValidSignature) {
+   if (process.env.NEXT_PUBLIC_NODE_ENV !== 'production') {
+     console.warn('Config signature verification failed');
+   }
    return null;
  }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6ec4513 and b56a03b.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (19)

• .github/actions/console-web-ui-testing/action.yml (3 hunks)
• .github/workflows/console-web-release.yml (1 hunks)
• apps/deploy-web/env/.env.production (1 hunks)
• apps/deploy-web/env/.env.sample (1 hunks)
• apps/deploy-web/env/.env.staging (1 hunks)
• apps/deploy-web/package.json (1 hunks)
• apps/deploy-web/playwright.config.ts (1 hunks)
• apps/deploy-web/src/components/turnstile/Turnstile.tsx (3 hunks)
• apps/deploy-web/src/config/browser-env.config.ts (1 hunks)
• apps/deploy-web/src/config/env-config.schema.ts (1 hunks)
• apps/deploy-web/src/pages/_app.tsx (3 hunks)
• apps/deploy-web/src/pages/api/config.ts (0 hunks)
• apps/deploy-web/src/queries/useAppConfig.ts (0 hunks)
• apps/deploy-web/src/services/config/config.service.ts (0 hunks)
• apps/deploy-web/src/services/http-factory/http-factory.service.ts (0 hunks)
• apps/deploy-web/tests/fixture/base-test.ts (1 hunks)
• apps/deploy-web/tests/fixture/context-with-extension.ts (3 hunks)
• apps/deploy-web/tests/fixture/test-env.config.ts (1 hunks)
• apps/deploy-web/tests/pages/DeployBasePage.tsx (1 hunks)

💤 Files with no reviewable changes (4)

• apps/deploy-web/src/services/http-factory/http-factory.service.ts
• apps/deploy-web/src/pages/api/config.ts
• apps/deploy-web/src/queries/useAppConfig.ts
• apps/deploy-web/src/services/config/config.service.ts

🧰 Additional context used

🧬 Code Graph Analysis (2)

apps/deploy-web/tests/fixture/context-with-extension.ts (1)

apps/deploy-web/tests/fixture/base-test.ts (1)

• injectUIConfig (16-30)

apps/deploy-web/src/config/browser-env.config.ts (1)

apps/deploy-web/src/config/env-config.schema.ts (1)

• BrowserEnvConfig (69-69)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: test-deploy-web-build

🔇 Additional comments (13)

apps/deploy-web/env/.env.production (1)

37-48:

Details

❓ Verification inconclusive

Verify multi-line env var parsing for Next.js.

You’ve inlined a PEM-encoded public key across multiple lines inside quotes. Standard dotenv parsers may not support literal newlines, which could cause build/runtime errors. Please confirm that Next.js (or @akashnetwork/env-loader) correctly loads this format. If not, consider one of the following:

• Base64-encode the key and decode at runtime.
• Serialize newlines (\n) inside a single-line string.

---

Verify multi-line environment variable support

It looks like you’ve inlined a PEM-encoded public key across multiple lines inside the .env.production file. The default Next.js loader (via dotenv/dotenv-expand) does not reliably parse literal newlines inside quoted values, which can lead to missing or malformed keys at build/runtime. Please confirm that your setup (Next.js or any custom @akashnetwork/env-loader) accepts this format. If it doesn’t, consider one of the following:

• Base64-encode the entire key and decode it at runtime.
• Serialize the newlines as \n in a single-line string, for example:

  NEXT_PUBLIC_UI_CONFIG_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0B…IDAQAB\n-----END PUBLIC KEY-----"
  

apps/deploy-web/package.json (1)

143-143: Playwright version bump approved.

Bumping @playwright/test from ^1.45.0 to ^1.52.0 aligns with the updated test fixtures and config changes.

apps/deploy-web/tests/pages/DeployBasePage.tsx (1)

4-4: Import path correction looks good.

Switching from an absolute to a relative import for testEnvConfig ("../fixture/test-env.config") aligns with the project structure and updated test-fixture layout.

apps/deploy-web/tests/fixture/context-with-extension.ts (2)

8-8: Update to the test fixture authentication mechanism

The import change from addUITestsToken to injectUIConfig aligns with the PR's goal of improving performance by replacing server-side token authentication with client-side injected configuration.

---

65-65: Function call updated to use signed config injection

This change replaces the token-based authentication with cryptographically signed configuration injection, which is more secure and efficient. The new approach avoids the performance issues associated with page route interception.

.github/workflows/console-web-release.yml (1)

54-54: GitHub workflow updated to use private key for config signing

The workflow now uses a private key for cryptographically signing the UI configuration instead of a token. This is a more secure approach and supports the broader change in authentication strategy.

apps/deploy-web/src/config/env-config.schema.ts (1)

66-66: Removed environment variables as part of server-side config refactoring

The removal of TURNSTILE_TEST_SITE_KEY and UI_TESTS_TOKEN from the server environment schema is appropriate since the server-side config endpoints and related hooks have been removed in favor of client-side injected configuration.

apps/deploy-web/playwright.config.ts (2)

22-22: Reduced test timeout for faster feedback

Reducing the test timeout from 60 to 30 seconds will provide faster feedback when tests fail, which is appropriate if tests are expected to complete within this timeframe.

---

30-32: Added video recording for failed tests

Adding video capture for test failures will improve debugging capabilities without adding overhead to successful test runs. This enhancement to test diagnostics complements the existing trace collection functionality.

apps/deploy-web/src/components/turnstile/Turnstile.tsx (4)

41-44: Explicit props improve component reliability

Making the enabled and siteKey props explicit requirements ensures the component has the necessary configuration at render time, avoiding potential runtime errors.

---

46-46: Component no longer relies on fetched configuration

The refactored component now takes configuration directly through props, which aligns with the PR objective of improving performance by eliminating server-side config fetching.

---

111-113: Early return pattern improves readability

The early return pattern when the component is disabled is a good practice that simplifies the component logic.

---

179-179: Dynamic import improves initial load performance

Using Next.js dynamic import with ssr: false ensures the Turnstile component only loads client-side, which helps with initial page load performance.