From 2e13febfc7f61617cf9046879a89bb8b2af450a3 Mon Sep 17 00:00:00 2001
From: Gabriel Brown <gbrown@ksensetech.com>
Date: Sun, 21 Jun 2026 23:49:08 -0500
Subject: [PATCH] Update stuff

---
 apps/next/src/instrumentation-client.ts |  1 -
 apps/next/src/proxy.ts                  |  2 +-
 package.json                            |  3 ++
 packages/backend/convex/auth.ts         | 45 ++++++++---------------
 packages/backend/convex/diagnostics.ts  | 34 -----------------
 packages/backend/package.json           |  1 +
 scripts/build-next-app                  |  5 +++
 scripts/deploy-convex                   | 49 +++++++++++++++++++++++++
 scripts/with-env                        |  2 +-
 9 files changed, 75 insertions(+), 67 deletions(-)
 delete mode 100644 packages/backend/convex/diagnostics.ts
 create mode 100755 scripts/deploy-convex

diff --git a/apps/next/src/instrumentation-client.ts b/apps/next/src/instrumentation-client.ts
index 1ffe376..e540cb9 100644
--- a/apps/next/src/instrumentation-client.ts
+++ b/apps/next/src/instrumentation-client.ts
@@ -4,7 +4,6 @@ import * as Sentry from '@sentry/nextjs';
 
 Sentry.init({
   dsn: env.NEXT_PUBLIC_SENTRY_DSN,
-  tunnel: '/monitoring',
   integrations: [
     Sentry.replayIntegration({
       maskAllText: false,
diff --git a/apps/next/src/proxy.ts b/apps/next/src/proxy.ts
index 2d93ac3..c1c30b6 100644
--- a/apps/next/src/proxy.ts
+++ b/apps/next/src/proxy.ts
@@ -30,7 +30,7 @@ export default convexAuthNextjsMiddleware(
 
 export const config = {
   matcher: [
-    '/((?!_next/static|_next/image|favicon.ico|monitoring|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
+    '/((?!_next/static|_next/image|favicon.ico|monitoring-tunnel|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
     '/((?!.*\\..*|_next).*)',
     '/',
     '/(api)(.*)',
diff --git a/package.json b/package.json
index 32e01ec..5ed7602 100644
--- a/package.json
+++ b/package.json
@@ -65,6 +65,9 @@
     "dev:expo:tunnel": "turbo run dev:tunnel -F @spoon/expo -F @spoon/backend",
     "dev:expo:tunnel:staging": "INFISICAL_ENV=staging turbo run dev:tunnel -F @spoon/expo -F @spoon/backend",
     "codegen:convex": "bash scripts/convex-codegen",
+    "deploy:convex:staging": "bash scripts/deploy-convex staging",
+    "deploy:convex:production": "bash scripts/deploy-convex production",
+    "deploy:convex:prod": "bash scripts/deploy-convex prod",
     "sync:convex": "scripts/sync-convex-env ${INFISICAL_ENV:-dev}",
     "sync:convex:staging": "scripts/sync-convex-env staging",
     "sync:convex:production": "scripts/sync-convex-env production",
diff --git a/packages/backend/convex/auth.ts b/packages/backend/convex/auth.ts
index e214332..ca64e53 100644
--- a/packages/backend/convex/auth.ts
+++ b/packages/backend/convex/auth.ts
@@ -14,37 +14,22 @@ import { api } from './_generated/api';
 import { action, mutation, query } from './_generated/server';
 import { Password, validatePassword } from './custom/auth';
 
-const authProviders = [
-  ...(process.env.AUTH_AUTHENTIK_ID &&
-  process.env.AUTH_AUTHENTIK_SECRET &&
-  process.env.AUTH_AUTHENTIK_ISSUER
-    ? [
-        Authentik({
-          allowDangerousEmailAccountLinking: true,
-          clientId: process.env.AUTH_AUTHENTIK_ID,
-          clientSecret: process.env.AUTH_AUTHENTIK_SECRET,
-          issuer: process.env.AUTH_AUTHENTIK_ISSUER,
-        }),
-      ]
-    : []),
-  ...((process.env.AUTH_GITHUB_ID ?? process.env.GITHUB_APP_CLIENT_ID) &&
-  (process.env.AUTH_GITHUB_SECRET ?? process.env.GITHUB_APP_CLIENT_SECRET)
-    ? [
-        GitHub({
-          allowDangerousEmailAccountLinking: true,
-          clientId:
-            process.env.AUTH_GITHUB_ID ?? process.env.GITHUB_APP_CLIENT_ID,
-          clientSecret:
-            process.env.AUTH_GITHUB_SECRET ??
-            process.env.GITHUB_APP_CLIENT_SECRET,
-        }),
-      ]
-    : []),
-  Password,
-];
-
 export const { auth, signIn, signOut, store, isAuthenticated } = convexAuth({
-  providers: authProviders,
+  providers: [
+    Authentik({
+      allowDangerousEmailAccountLinking: true,
+      clientId: process.env.AUTH_AUTHENTIK_ID,
+      clientSecret: process.env.AUTH_AUTHENTIK_SECRET,
+      issuer: process.env.AUTH_AUTHENTIK_ISSUER,
+    }),
+    GitHub({
+      allowDangerousEmailAccountLinking: true,
+      clientId: process.env.AUTH_GITHUB_ID ?? process.env.GITHUB_APP_CLIENT_ID,
+      clientSecret:
+        process.env.AUTH_GITHUB_SECRET ?? process.env.GITHUB_APP_CLIENT_SECRET,
+    }),
+    Password,
+  ],
 });
 
 const getUserById = async (
diff --git a/packages/backend/convex/diagnostics.ts b/packages/backend/convex/diagnostics.ts
deleted file mode 100644
index 4de7cee..0000000
--- a/packages/backend/convex/diagnostics.ts
+++ /dev/null
@@ -1,34 +0,0 @@
-import { query } from './_generated/server';
-
-const hasEnv = (name: string) => Boolean(process.env[name]?.trim());
-
-export const envStatus = query({
-  args: {},
-  handler: () => ({
-    auth: {
-      authentikId: hasEnv('AUTH_AUTHENTIK_ID'),
-      authentikSecret: hasEnv('AUTH_AUTHENTIK_SECRET'),
-      authentikIssuer: hasEnv('AUTH_AUTHENTIK_ISSUER'),
-      githubId: hasEnv('AUTH_GITHUB_ID') || hasEnv('GITHUB_APP_CLIENT_ID'),
-      githubSecret:
-        hasEnv('AUTH_GITHUB_SECRET') || hasEnv('GITHUB_APP_CLIENT_SECRET'),
-      jwtPrivateKey: hasEnv('JWT_PRIVATE_KEY'),
-      jwks: hasEnv('JWKS'),
-      siteUrl: hasEnv('SITE_URL'),
-    },
-    githubApp: {
-      appId: hasEnv('GITHUB_APP_ID'),
-      privateKey: hasEnv('GITHUB_APP_PRIVATE_KEY'),
-      installationId: hasEnv('GITHUB_APP_INSTALLATION_ID'),
-    },
-    email: {
-      useSendApiKey: hasEnv('USESEND_API_KEY'),
-      useSendUrl: hasEnv('USESEND_URL'),
-      useSendFromEmail: hasEnv('USESEND_FROM_EMAIL'),
-    },
-    spoon: {
-      encryptionKey: hasEnv('SPOON_ENCRYPTION_KEY'),
-      workerToken: hasEnv('SPOON_WORKER_TOKEN'),
-    },
-  }),
-});
diff --git a/packages/backend/package.json b/packages/backend/package.json
index c2aef3a..e9b0895 100644
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@@ -18,6 +18,7 @@
     "dev:web": "bun sync-env && bun with-env convex dev",
     "setup": "bun sync-env && bun with-env convex dev --until-success",
     "codegen": "convex codegen --typecheck disable",
+    "deploy": "convex deploy --typecheck disable",
     "clean": "git clean -xdf .cache .turbo dist node_modules",
     "format": "prettier --check . --ignore-path ../../.gitignore",
     "lint": "eslint --flag unstable_native_nodejs_ts_config",
diff --git a/scripts/build-next-app b/scripts/build-next-app
index 33dbe9e..b7321cd 100755
--- a/scripts/build-next-app
+++ b/scripts/build-next-app
@@ -17,3 +17,8 @@ else
 fi
 args=(); [[ -z "$ENV_FILE" ]] || args+=(--env-file "$ENV_FILE")
 docker compose "${args[@]}" -f "$ROOT_DIR/docker/compose.yml" build spoon-next
+if [[ -n "$ENV_FILE" ]]; then
+  CI_ENV_FILE="$ENV_FILE" bash "$ROOT_DIR/scripts/deploy-convex" "$ENVIRONMENT"
+else
+  bash "$ROOT_DIR/scripts/deploy-convex" "$ENVIRONMENT"
+fi
diff --git a/scripts/deploy-convex b/scripts/deploy-convex
new file mode 100755
index 0000000..cc911aa
--- /dev/null
+++ b/scripts/deploy-convex
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)"
+ENVIRONMENT="${1:-staging}"
+[[ "$ENVIRONMENT" == dev || "$ENVIRONMENT" == staging || "$ENVIRONMENT" == production || "$ENVIRONMENT" == prod ]] || {
+  echo "usage: deploy-convex [dev|staging|production|prod] [convex deploy args...]" >&2
+  exit 2
+}
+shift || true
+FROM_CURRENT_ENV=0
+if [[ "${1:-}" == "--from-current-env" ]]; then
+  FROM_CURRENT_ENV=1
+  shift
+fi
+
+ENV_FILE="${CI_ENV_FILE:-}"
+cleanup() {
+  [[ -n "$ENV_FILE" && "$ENV_FILE" != "${CI_ENV_FILE:-}" ]] && rm -f "$ENV_FILE" || true
+}
+trap cleanup EXIT
+
+if [[ "$FROM_CURRENT_ENV" -eq 0 && -z "$ENV_FILE" && -z "${CI:-}" ]]; then
+  ENV_FILE="$(mktemp "${TMPDIR:-/tmp}/spoon-convex-deploy.XXXXXX.env")"
+  sh "$ROOT_DIR/scripts/export-env" "$ENVIRONMENT" > "$ENV_FILE"
+fi
+
+deploy_from_current_env() {
+  if [[ -z "${CONVEX_SELF_HOSTED_URL:-}" ]]; then
+    if [[ -n "${CONVEX_URL:-}" ]]; then
+      export CONVEX_SELF_HOSTED_URL="$CONVEX_URL"
+    elif [[ -n "${NEXT_PUBLIC_CONVEX_URL:-}" ]]; then
+      export CONVEX_SELF_HOSTED_URL="$NEXT_PUBLIC_CONVEX_URL"
+    fi
+  fi
+
+  bash "$ROOT_DIR/scripts/sync-convex-env" "$ENVIRONMENT" --from-current-env
+  bash "$ROOT_DIR/scripts/convex-codegen"
+  cd "$ROOT_DIR"
+  bun patch:usesend
+  cd "$ROOT_DIR/packages/backend"
+  bun convex deploy --typecheck disable "$@"
+}
+
+if [[ "$FROM_CURRENT_ENV" -eq 0 && -n "$ENV_FILE" ]]; then
+  exec bun dotenv -e "$ENV_FILE" -- bash "$0" "$ENVIRONMENT" --from-current-env "$@"
+fi
+
+deploy_from_current_env "$@"
diff --git a/scripts/with-env b/scripts/with-env
index 8de2f2f..c6cbcac 100755
--- a/scripts/with-env
+++ b/scripts/with-env
@@ -33,7 +33,7 @@ sh "$ROOT_DIR/scripts/export-env" "$ENVIRONMENT" > "$TMP_ENV"
 
 export WITH_ENV_SOURCE=infisical WITH_ENV_ENVIRONMENT="$ENVIRONMENT" WITH_ENV_STATE_FILE="$STATE_FILE"
 set +e
-bunx dotenv -e "$TMP_ENV" -- "$@"
+bun dotenv -e "$TMP_ENV" -- "$@"
 status=$?
 set -e
 exit "$status"