From 5ba315fd027eccd36f296dab55a155448315b392 Mon Sep 17 00:00:00 2001
From: root <root@srv1491630.hstgr.cloud>
Date: Tue, 5 May 2026 22:04:06 +0000
Subject: [PATCH] fix(web): prevent public bundle localhost api fallback

---
 docker-compose.yml     | 5 +++--
 shared/runtime.ts      | 7 ++++---
 web/src/lib/runtime.ts | 4 ++--
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 8095594..b3ecb31 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -50,8 +50,9 @@ services:
         BYTELYST_PACKAGE_SOURCE: ${BYTELYST_PACKAGE_SOURCE:-vendor}
         GITEA_NPM_TOKEN: ${GITEA_NPM_TOKEN:-}
         VITE_PRODUCT_ID: ${VITE_PRODUCT_ID:-invttrdg}
-        VITE_PLATFORM_URL: ${VITE_PLATFORM_URL:-https://api.bytelyst.com/platform/api}
-        VITE_TRADING_API_URL: ${VITE_TRADING_API_URL:-https://api.bytelyst.com/invttrdg}
+        # Public web builds must use the hosted APIs even if local .env contains dev localhost values.
+        VITE_PLATFORM_URL: https://api.bytelyst.com/platform/api
+        VITE_TRADING_API_URL: https://api.bytelyst.com/invttrdg
         VITE_BACKTEST_ENABLED: ${VITE_BACKTEST_ENABLED:-true}
     container_name: invttrdg-web
     ports:
diff --git a/shared/runtime.ts b/shared/runtime.ts
index 8a42b12..dcf99a5 100644
--- a/shared/runtime.ts
+++ b/shared/runtime.ts
@@ -27,7 +27,7 @@ export function getRuntimeEnvironment(surface: ProductSurface): RuntimeEnvironme
     readEnv(`${surfacePrefix}PLATFORM_URL`) ??
     readEnv('VITE_PLATFORM_URL') ??
     readEnv('PLATFORM_API_URL') ??
-    'http://localhost:4003/api';
+    (surface === 'web' ? 'https://api.bytelyst.com/platform/api' : 'http://localhost:4003/api');
 
   // Web code appends /api/... itself — no /api suffix in the base URL.
   // Mobile code expects /api included and strips it for socket (EXPO_PUBLIC_TRADING_API_URL=http://host:port/api).
@@ -36,7 +36,9 @@ export function getRuntimeEnvironment(surface: ProductSurface): RuntimeEnvironme
     readEnv(`${surfacePrefix}TRADING_API_URL`) ??
     readEnv('VITE_TRADING_API_URL') ??
     readEnv('TRADING_API_URL') ??
-    `http://localhost:${productConfig.backendPort}`;
+    (surface === 'web'
+      ? 'https://api.bytelyst.com/invttrdg'
+      : `http://localhost:${productConfig.backendPort}`);
 
   return {
     productId,
@@ -44,4 +46,3 @@ export function getRuntimeEnvironment(surface: ProductSurface): RuntimeEnvironme
     tradingApiUrl,
   };
 }
-
diff --git a/web/src/lib/runtime.ts b/web/src/lib/runtime.ts
index 8171698..79803b9 100644
--- a/web/src/lib/runtime.ts
+++ b/web/src/lib/runtime.ts
@@ -3,8 +3,8 @@ import { createTradingKillSwitchClient, createTradingWebTelemetry } from '../../
 // Read Vite env vars via import.meta.env (not process.env — Vite does not inject those in the browser bundle)
 export const tradingRuntime = {
   productId: (import.meta.env.VITE_PRODUCT_ID as string) || 'invttrdg',
-  platformApiUrl: (import.meta.env.VITE_PLATFORM_URL as string) || 'http://localhost:4003/api',
-  tradingApiUrl: (import.meta.env.VITE_TRADING_API_URL as string) || 'http://localhost:4018',
+  platformApiUrl: (import.meta.env.VITE_PLATFORM_URL as string) || 'https://api.bytelyst.com/platform/api',
+  tradingApiUrl: (import.meta.env.VITE_TRADING_API_URL as string) || 'https://api.bytelyst.com/invttrdg',
 };
 
 export const tradingKillSwitchClient = createTradingKillSwitchClient('web');