From 0f40bc1c706252009dcfaafe64c75d0df9520c32 Mon Sep 17 00:00:00 2001
From: Madhura68 <janpetervisser2@gmail.com>
Date: Mon, 4 May 2026 14:16:49 +0200
Subject: [PATCH] fix(privacy): NODE_ENV-guard 4 debug-routes (before-launch
 privacy review)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Privacy/PII review-pass van Server Actions, API-routes, debug-paths en
Sentry config:

✅ Sentry sendDefaultPii: false in alle drie configs (server/edge/client)
✅ Geen wachtwoord/email/token in console-logs
✅ Pair-id-logs zijn metadata-only (5-min TTL, geen secret)

⚠️ Vier debug-routes hadden geen auth-guard:
- /api/debug/realtime-stream — rauwe pg_notify-stream zonder filtering
- /api/debug/emit-test-notify — anonieme test-emit op het kanaal
- /debug-env — lekt env-var-metadata (hostnames, lengtes, pooled-flag)
- /debug-realtime — UI op dezelfde rauwe pg_notify-stream

Allemaal gemarkeerd als TIJDELIJK met VERWIJDEREN-comments uit M8.
Voor v1 launch: NODE_ENV-guard die in productie 404 retourneert. Lokaal
dev blijft alles werken voor debugging.

Toekomstige cleanup: kunnen worden verwijderd zodra M8-realtime stabiel
draait in productie en niemand ze meer nodig heeft.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 app/api/debug/emit-test-notify/route.ts | 5 +++++
 app/api/debug/realtime-stream/route.ts  | 5 +++++
 app/debug-env/page.tsx                  | 4 ++++
 app/debug-realtime/page.tsx             | 4 ++++
 4 files changed, 18 insertions(+)

diff --git a/app/api/debug/emit-test-notify/route.ts b/app/api/debug/emit-test-notify/route.ts
index e480258..ae1de28 100644
--- a/app/api/debug/emit-test-notify/route.ts
+++ b/app/api/debug/emit-test-notify/route.ts
@@ -12,6 +12,11 @@ export const dynamic = 'force-dynamic'
 const CHANNEL = 'scrum4me_changes'
 
 export async function POST(request: Request) {
+  // Productie-guard: anonieme test-emit op pg_notify is niet voor productie.
+  if (process.env.NODE_ENV === 'production') {
+    return new Response('Not found', { status: 404 })
+  }
+
   const directUrl = process.env.DIRECT_URL ?? process.env.DATABASE_URL
   if (!directUrl) {
     return Response.json({ error: 'DIRECT_URL/DATABASE_URL niet gezet' }, { status: 500 })
diff --git a/app/api/debug/realtime-stream/route.ts b/app/api/debug/realtime-stream/route.ts
index e909bfc..1a02765 100644
--- a/app/api/debug/realtime-stream/route.ts
+++ b/app/api/debug/realtime-stream/route.ts
@@ -16,6 +16,11 @@ export const maxDuration = 300
 const CHANNEL = 'scrum4me_changes'
 
 export async function GET(request: NextRequest) {
+  // Productie-guard: deze debug-stream lekt rauw alle pg_notify-events.
+  if (process.env.NODE_ENV === 'production') {
+    return new Response('Not found', { status: 404 })
+  }
+
   const directUrl = process.env.DIRECT_URL ?? process.env.DATABASE_URL
   if (!directUrl) {
     return Response.json({ error: 'DIRECT_URL/DATABASE_URL niet gezet' }, { status: 500 })
diff --git a/app/debug-env/page.tsx b/app/debug-env/page.tsx
index e8d0c47..3e653b2 100644
--- a/app/debug-env/page.tsx
+++ b/app/debug-env/page.tsx
@@ -5,6 +5,7 @@
 // VERWIJDEREN zodra env-config op Vercel bevestigd is.
 
 import { headers } from 'next/headers'
+import { notFound } from 'next/navigation'
 
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
@@ -45,6 +46,9 @@ function inspectSecret(name: string, raw: string | undefined): VarStatus {
 }
 
 export default async function DebugEnvPage() {
+  // Productie-guard: lekt env-var-metadata (hostnames, lengtes, pooled-flag).
+  if (process.env.NODE_ENV === 'production') notFound()
+
   // Force dynamic so each visit reads runtime env (niet build-time gecached)
   await headers()
 
diff --git a/app/debug-realtime/page.tsx b/app/debug-realtime/page.tsx
index 4dc28f3..f28124e 100644
--- a/app/debug-realtime/page.tsx
+++ b/app/debug-realtime/page.tsx
@@ -5,11 +5,15 @@
 //
 // VERWIJDEREN VOOR M8 OUT-OF-DRAFT.
 
+import { notFound } from 'next/navigation'
 import { DebugRealtimeClient } from './client'
 
 export const dynamic = 'force-dynamic'
 
 export default function DebugRealtimePage() {
+  // Productie-guard: deze pagina toont rauwe pg_notify-events zonder auth.
+  if (process.env.NODE_ENV === 'production') notFound()
+
   return (
     <div style={{ fontFamily: 'monospace', padding: 16 }}>
       <h1 style={{ fontSize: 18, fontWeight: 'bold' }}>Realtime debug — scrum4me_changes</h1>