Skip to content

SAFETY-001 — Preserve callbacks and fail closed on local Firebase isolation #99

Description

@daliu

Problem

The GitHub Pages SPA bridge dropped Stripe/Strava query and hash state. Local Auth and Firestore used emulators while Functions could still target the deployed project; emulator setup errors and non-emulated analytics/monitoring could silently reach external services.

Outcome

Preserve safe same-origin callback state and make development/test use a matching demo-mprc-local Firebase namespace with fail-closed Auth, Firestore, Functions, Analytics, and Sentry behavior.

Scope

  • public/404.html, public/index.html, public/spa-navigation.js, tests/spa-navigation.test.js
  • src/services/firebase/FirebaseResources.ts and its focused test
  • src/services/monitoring/sentry.ts and its focused test
  • Emulator/script hunks in root and Functions package.json
  • Safe local environment examples owned by the architecture handoff

Acceptance criteria

  • Path, query, and hash survive the SPA bridge; malformed/cross-origin targets are discarded.
  • Development and test select demo-mprc-local and connect Auth, Firestore, and Functions to localhost.
  • Emulator configuration failure stops startup.
  • Production does not connect emulators.
  • Analytics and Sentry do not initialize in local/test.
  • Focused frontend/SPA tests and production compile pass.

Dependencies

None. This is a prerequisite for CI-001A and safe provider testing.

Coordination

A verified local working-tree implementation predates publication of this issue. This issue records the exact ownership boundary before any further editing or PR work. The existing diff must be isolated onto the claimed branch before review; unrelated changes and the pre-existing public/sitemap.xml modification are excluded.

Do not edit the listed paths or duplicate this outcome while the issue is assigned and has a valid timestamped CLAIMED marker.

Metadata

Metadata

Assignees

Labels

area:firebaseFirebase services and dataarea:webWeb application and hostingpriority:P0Launch blocker or urgent security risksize:SSmall focused issuetype:reliabilityReliability and recoverytype:securitySecurity or privacy boundary

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions