fix: align public-api Docker image paths and simplify server config

[kaladinlight]

Summary

• Fix production Docker image by mirroring monorepo directory structure so __dirname-relative paths work for both docs and asset data — no env vars needed
• Add env.ts with Zod schema validation — server fails fast at startup with clear errors for any missing or invalid env vars, eliminating all process.env reads and fallbacks scattered across the codebase
• Hardcode trust proxy: 1 (required for express-rate-limit to correctly identify client IPs behind Railway's proxy)
• Remove SWAP_SERVICE_BASE_URL re-export from config.ts — all usages read from env directly
• Remove MICROSERVICES_URL — partner code resolution now uses SWAP_SERVICE_BASE_URL consistently
• Expose DEFAULT_AFFILIATE_BPS as a configurable env var
• Simplify PORT — no parseInt needed since app.listen accepts strings
• Remove unused API_HOST, API_PORT config and TRUST_PROXY/ASSET_DATA_PATH env vars
• Simplify asset loading to a single __dirname-relative path instead of a fallback array
• Comprehensive .env.example with all vars explicit and pointing to dev endpoints

Test plan

• Docker image builds and starts without errors
• /health responds correctly
• /docs loads without ENOENT errors
• Assets load correctly (31k+ assets)
• Rate limiting works correctly with trust proxy: 1

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated default environment example with many concrete service endpoints, API key placeholders, affiliate/feature flags, and extended rate-limit defaults.
  • Added runtime environment validation to detect misconfiguration and fail fast.
  • Adjusted asset data resolution and container image/startup layout for the public API.
• Refactor
  • Centralized environment sourcing for server startup, middleware, and service integrations.

[coderabbitai]

Warning

Rate limit exceeded

@kaladinlight has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 49 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cd091d4e-5280-4c41-9de4-ab24b7e50319

📥 Commits

Reviewing files that changed from the base of the PR and between 07374a1 and 47ff0f5.

📒 Files selected for processing (2)

• packages/public-api/src/env.ts
• packages/public-api/src/routes/affiliate/getAffiliateStats.ts

📝 Walkthrough

Walkthrough

Centralized environment validation with a Zod-based env module; replaced in-file process.env handling across config, middleware, routes, and swapper deps with env.*; updated Dockerfile and deterministic asset path resolution; expanded .env.example; rate-limiters and feature flags now come from env.

Changes

Cohort / File(s)	Summary
Environment schema & usage packages/public-api/src/env.ts	Add Zod envSchema, validate/coerce process.env, export env; fail fast (console errors + process.exit(1)) on validation errors.
Top-level config & startup packages/public-api/src/config.ts, packages/public-api/src/index.ts	Remove local API_PORT/API_HOST and in-file SWAP_SERVICE_BASE_URL logic; switch startup and trust-proxy to use env values; import env where needed.
.env example packages/public-api/.env.example	Replace commented/optional entries with concrete defaults and many new keys (UNCHAINED_*, *_NODE_URL, *_MIDGARD_URL, swapper base URLs, API key placeholders, affiliate defaults, feature flags, extended rate-limit entries).
Docker build & runtime packages/public-api/Dockerfile	Adjust production stage to copy built entrypoint to packages/public-api/dist/server.cjs, include packages/public-api/docs, change generated asset destination path, remove ASSET_DATA_PATH, and run new entrypoint path.
Asset discovery packages/public-api/src/assets.ts	Replace multiple ASSET_DATA_PATH/cwd fallbacks with a deterministic __dirname-based path to ../../../public/generated/generatedAssetData.json; remove prior existence warnings.
Middleware & auth packages/public-api/src/middleware/auth.ts	Source partner-resolution URL from env.SWAP_SERVICE_BASE_URL and default affiliate BPS from env.DEFAULT_AFFILIATE_BPS (replacing previous env/local constants).
Rate limiting packages/public-api/src/middleware/rateLimit.ts	Remove local env-int parsing; createLimiter accepts numeric max; limiter maxima now come from env.*; add affiliateMutationLimiter.
Routes: affiliate & status packages/public-api/src/routes/affiliate/getAffiliateStats.ts, packages/public-api/src/routes/status/getSwapStatus.ts, packages/public-api/src/routes/status/utils.ts	Switch swap-service base URL usage from local config constant to env.SWAP_SERVICE_BASE_URL; request/response behavior unchanged.
Swapper dependencies packages/public-api/src/swapperDeps.ts	Replace getServerConfig()/process.env fallbacks with direct env.* variables; simplify unchained URL mappings to use env.UNCHAINED_*.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I dug a schema, tidy and bright,

envs all nested, checked by night,
Docker boots where servers play,
assets found without delay,
I hop — the pipeline's feeling light.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main objectives: aligning Docker paths and simplifying server config through centralized environment validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-public-api-build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/public-api/src/env.ts`:
- Around line 4-5: Replace the loose validator "const flag =
z.string().transform(v => v === 'true')" with a strict enum-based validator so
only the literals "true" or "false" are accepted; change the schema for the
feature-flag (the const named flag in this module) to use
z.enum(['true','false']) and then transform the validated string to a boolean
(e.g., .transform(v => v === 'true')), which will cause invalid values (like
"TRUE", "1", typos, or extra whitespace) to fail validation at startup instead
of silently mapping to false.
- Around line 8-9: Tighten the zod schemas for numeric and boolean env vars:
validate PORT and DEFAULT_AFFILIATE_BPS using a numeric regex (e.g.,
.regex(/^\d+$/, 'PORT must be numeric') / 'DEFAULT_AFFILIATE_BPS must be
numeric') instead of allowing any string, change all RATE_LIMIT_* fields to use
integer validation (e.g., .int().min(1) or similar) so empty strings or
non-numeric values fail validation, and update the feature flag fields
referenced around the feature flag block (lines 61-63 and 65-75) to explicitly
validate booleans (reject invalid strings rather than coercing to false) using
zod boolean parsing or a stricter pre-parse with .refine/.transform to produce
clear error messages; update the schema entries for PORT, DEFAULT_AFFILIATE_BPS,
each RATE_LIMIT_* key, and the feature flag keys accordingly.

In `@packages/public-api/src/routes/affiliate/getAffiliateStats.ts`:
- Around line 61-62: The code builds backendUrl using new
URL(`/swaps/affiliate-fees/${address}`, env.SWAP_SERVICE_BASE_URL) which drops
any service prefix in SWAP_SERVICE_BASE_URL; change it to build the endpoint
using string concatenation instead (e.g., combine env.SWAP_SERVICE_BASE_URL with
"/swaps/affiliate-fees/" + address) so the service prefix is preserved; update
the backendUrl assignment in getAffiliateStats.ts (the const backendUrl
variable) accordingly and ensure any subsequent usage expects a string or new
URL(...) constructed from the full concatenated string.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b5d38514-dc60-4fcd-b3ce-4f7174f61059

📥 Commits

Reviewing files that changed from the base of the PR and between cdaf446 and 1c5b741.

📒 Files selected for processing (10)

• packages/public-api/.env.example
• packages/public-api/src/config.ts
• packages/public-api/src/env.ts
• packages/public-api/src/index.ts
• packages/public-api/src/middleware/auth.ts
• packages/public-api/src/middleware/rateLimit.ts
• packages/public-api/src/routes/affiliate/getAffiliateStats.ts
• packages/public-api/src/routes/status/getSwapStatus.ts
• packages/public-api/src/routes/status/utils.ts
• packages/public-api/src/swapperDeps.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/public-api/src/index.ts