Feat/pre trial sandbox setup

[wisdom1016]

Summary

Pre-trial work for the API repo: sandbox setup endpoint and auth/config improvements.

Changes

• POST /api/sandboxes/setup – Route that validates auth (x-api-key or Bearer token), then triggers the setup-sandbox background task via Trigger.dev. Includes CORS and error handling.
• Privy JWT verification – lib/privy/client.ts updated to support raw PEM, base64(PEM), or omitting the key (Privy SDK fetches JWKS). Fixes "Failed to verify authentication token" when PEM was incorrectly base64-decoded.
• Docs – Local run instructions and Supabase migration notes where relevant.

Testing

• Sandbox setup returns 200 when TRIGGER_API_URL and TRIGGER_SECRET_KEY are set; without them it returns 500 with a clear env error (expected in local dev without Trigger.dev credentials).
• Existing tests for validateSetupSandboxBody and setupSandboxHandler pass.

Summary by CodeRabbit

• Bug Fixes
  • Improved JWT verification key configuration to support multiple input formats (PEM, base64-encoded, or raw string) with better handling and validation.

[vercel]

@wisdom1016 is attempting to deploy a commit to the Recoupable Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

The change refactors JWT verification key handling by introducing a resolveJwtVerificationKey resolver function that flexibly supports multiple input formats—raw PEM, base64-encoded PEM, or raw strings—with lazy evaluation, replacing previous hard-coded base64 decoding logic.

Changes

Cohort / File(s)	Summary
JWT Key Resolution Refactoring lib/privy/client.ts	Replaces unconditional base64 decoding with new resolveJwtVerificationKey function supporting multiple input formats (raw PEM, base64 PEM, raw strings). Implements whitespace stripping, PEM header validation, and lazy evaluation via conditional spread operator in PrivyClient initialization.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🔐 A key resolver born today,
Takes many forms, yet finds its way—
Base64, PEM, or plaintext true,
Lazy loading, flexible and new,
Configuration doth bloom anew! ✨

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Solid & Clean Code	✅ Passed	Code adheres to all SOLID principles and clean code practices with well-defined single responsibility, elegant composition pattern, no duplication, and clear documentation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

lib/privy/client.ts (1)

12-15: Tighten PEM detection to avoid false positives.

Line 12 and Line 15 use includes("BEGIN"), which is too broad and can incorrectly treat non-PEM strings as PEM. Use a strict PEM header regex instead.

Proposed diff

 function resolveJwtVerificationKey(): string | undefined {
   const raw = process.env.PRIVY_JWT_VERIFICATION_KEY?.trim();
   if (!raw) return undefined;
-  if (raw.includes("BEGIN")) return raw;
+  const isPem = (value: string) => /^-----BEGIN [A-Z0-9 ]+-----/m.test(value);
+  if (isPem(raw)) return raw;
   try {
     const decoded = Buffer.from(raw, "base64").toString("utf8");
-    if (decoded.includes("BEGIN")) return decoded;
+    if (isPem(decoded)) return decoded;
   } catch {
     /* ignore */
   }
   return raw;
 }

As per coding guidelines, "KISS: Prefer simple, readable implementations over clever optimizations."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/privy/client.ts` around lines 12 - 15, The PEM detection using
raw.includes("BEGIN") and decoded.includes("BEGIN") is too broad; replace those
checks with a strict PEM header/footer regex (e.g. /^-----BEGIN [A-Z ]+-----/m
and corresponding END) and test raw (and the base64-decoded decoded) against
that regex so only actual PEM blocks are accepted; update the checks around the
Buffer.from(raw, "base64").toString("utf8") flow (the raw and decoded variables)
to use regex.test(...) and return only when the regex matches.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@lib/privy/client.ts`:
- Around line 12-15: The PEM detection using raw.includes("BEGIN") and
decoded.includes("BEGIN") is too broad; replace those checks with a strict PEM
header/footer regex (e.g. /^-----BEGIN [A-Z ]+-----/m and corresponding END) and
test raw (and the base64-decoded decoded) against that regex so only actual PEM
blocks are accepted; update the checks around the Buffer.from(raw,
"base64").toString("utf8") flow (the raw and decoded variables) to use
regex.test(...) and return only when the regex matches.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6fd0cef0-2431-4c8a-8da4-9b2802fc373b

📥 Commits

Reviewing files that changed from the base of the PR and between 0505b3f and f315349.

📒 Files selected for processing (1)

• lib/privy/client.ts