Production hardening: Remove deprecations, optimize chain queries, enforce explicit configuration #134

2026-02-15T22:54:47-06:00

Copilot commented

2026-02-15 22:54:47 -06:00

(Migrated from github.com)

Addresses 5 production readiness issues: deprecated rate-limit API, inefficient blockchain queries, implicit testnet fallbacks, unclear Prisma setup, and unpinned Docker images.

Changes

1. Rate limit middleware (express-rate-limit v8)

Removed deprecated onLimitReached callback
Moved logging into handler function
Updated test suite to verify new implementation

2. Blockchain event queries

Replaced fromBlock: 0 (full chain scan) with last 1M blocks default
Added REGISTRY_START_BLOCK env var for contract deployment block
Extracted validation to block-range.util.ts
Added comprehensive test coverage with 15 test cases covering all code paths and edge cases

// Before: scans entire chain history on every call
const logs = await provider.getLogs({
  fromBlock: 0,
  toBlock: "latest",
  topics: [topic0, contentHash],
});

// After: configurable starting block with smart default
const startBlock = await getStartBlock(provider); // last 1M blocks or REGISTRY_START_BLOCK
const logs = await provider.getLogs({
  fromBlock: startBlock,
  toBlock: "latest", 
  topics: [topic0, contentHash],
});

3. RPC URL configuration

Removed || "https://sepolia.base.org" fallbacks across codebase
Services throw on missing RPC_URL
API routes return 503 when unconfigured
CLI scripts exit with error

4. Prisma schema documentation

Added comments explaining dual generator setup (root API vs Next.js web app node_modules)

5. Docker images

Pinned Redis: redis:7-alpine → redis:7.2-alpine

Testing

✅ Added test/utils/block-range.util.test.ts with 15 comprehensive test cases
✅ Tests cover valid inputs, invalid inputs, edge cases, and error scenarios
✅ Updated rate-limit middleware tests to verify new handler implementation
✅ All changes follow existing test patterns and conventions

Original prompt

This section details on the original issue you should resolve

<issue_title>Miscellaneous production hardening items</issue_title>
<issue_description>## Summary
Miscellaneous smaller issues that should be addressed for production readiness.

Items

1. onLimitReached deprecation in rate-limit middleware

rate-limit.middleware.ts uses onLimitReached which is deprecated in express-rate-limit v7. Should migrate to handler option.

2. fromBlock: 0 in event queries

contract.queryFilter(filter, 0, "latest") scans the entire chain history on every call. Should use a reasonable starting block or track last-scanned block.

3. Hardcoded testnet RPC fallback

chains.ts falls back to BASE_SEPOLIA_RPC_URL when no URL is configured, tying production code to a testnet. Should fail fast in production instead of silently connecting to testnet.

4. Dual Prisma generator fragility

prisma/schema.prisma has generators for both prisma-client-js (PostgreSQL) and a JSON/SQLite generator. This creates confusion about which database is actually used and requires both to be kept in sync.

5. Docker Compose Redis version

docker-compose.yml uses redis:7-alpine without pinning a specific patch version. Should pin for reproducibility (e.g., redis:7.2-alpine).

Acceptance Criteria

Deprecation warnings resolved

Event queries use efficient block range

RPC fallback behavior is explicit and safe

Prisma schema has clear documentation on multi-generator setup

Docker images use pinned versions</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes Miscellaneous production hardening items (subculture-collective/internet-id#124)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Addresses 5 production readiness issues: deprecated rate-limit API, inefficient blockchain queries, implicit testnet fallbacks, unclear Prisma setup, and unpinned Docker images. ## Changes ### 1. Rate limit middleware (express-rate-limit v8) - Removed deprecated `onLimitReached` callback - Moved logging into `handler` function - Updated test suite to verify new implementation ### 2. Blockchain event queries - Replaced `fromBlock: 0` (full chain scan) with last 1M blocks default - Added `REGISTRY_START_BLOCK` env var for contract deployment block - Extracted validation to `block-range.util.ts` - Added comprehensive test coverage with 15 test cases covering all code paths and edge cases ```typescript // Before: scans entire chain history on every call const logs = await provider.getLogs({ fromBlock: 0, toBlock: "latest", topics: [topic0, contentHash], }); // After: configurable starting block with smart default const startBlock = await getStartBlock(provider); // last 1M blocks or REGISTRY_START_BLOCK const logs = await provider.getLogs({ fromBlock: startBlock, toBlock: "latest", topics: [topic0, contentHash], }); ``` ### 3. RPC URL configuration - Removed `|| "https://sepolia.base.org"` fallbacks across codebase - Services throw on missing `RPC_URL` - API routes return 503 when unconfigured - CLI scripts exit with error ### 4. Prisma schema documentation Added comments explaining dual generator setup (root API vs Next.js web app node_modules) ### 5. Docker images Pinned Redis: `redis:7-alpine` → `redis:7.2-alpine` ## Testing - ✅ Added `test/utils/block-range.util.test.ts` with 15 comprehensive test cases - ✅ Tests cover valid inputs, invalid inputs, edge cases, and error scenarios - ✅ Updated rate-limit middleware tests to verify new handler implementation - ✅ All changes follow existing test patterns and conventions  <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>Miscellaneous production hardening items</issue_title> > <issue_description>## Summary > Miscellaneous smaller issues that should be addressed for production readiness. > > ## Items > > ### 1. `onLimitReached` deprecation in rate-limit middleware > `rate-limit.middleware.ts` uses `onLimitReached` which is deprecated in `express-rate-limit` v7. Should migrate to `handler` option. > > ### 2. `fromBlock: 0` in event queries > `contract.queryFilter(filter, 0, "latest")` scans the entire chain history on every call. Should use a reasonable starting block or track last-scanned block. > > ### 3. Hardcoded testnet RPC fallback > `chains.ts` falls back to `BASE_SEPOLIA_RPC_URL` when no URL is configured, tying production code to a testnet. Should fail fast in production instead of silently connecting to testnet. > > ### 4. Dual Prisma generator fragility > `prisma/schema.prisma` has generators for both `prisma-client-js` (PostgreSQL) and a JSON/SQLite generator. This creates confusion about which database is actually used and requires both to be kept in sync. > > ### 5. Docker Compose Redis version > `docker-compose.yml` uses `redis:7-alpine` without pinning a specific patch version. Should pin for reproducibility (e.g., `redis:7.2-alpine`). > > ## Acceptance Criteria > - [ ] Deprecation warnings resolved > - [ ] Event queries use efficient block range > - [ ] RPC fallback behavior is explicit and safe > - [ ] Prisma schema has clear documentation on multi-generator setup > - [ ] Docker images use pinned versions</issue_description> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details>  - Fixes subculture-collective/internet-id#124  --- ✨ Let Copilot coding agent [set things up for you](https://github.com/subculture-collective/internet-id/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

onnwee (Migrated from github.com) reviewed 2026-02-15 22:54:47 -06:00

PatrickFanella (Migrated from github.com) reviewed 2026-02-15 22:54:47 -06:00

copilot-pull-request-reviewer[bot] (Migrated from github.com) reviewed 2026-02-15 23:22:25 -06:00

copilot-pull-request-reviewer[bot] (Migrated from github.com) left a comment

Pull request overview

This PR addresses five production hardening issues related to deprecated APIs, blockchain query performance, configuration safety, documentation clarity, and Docker image versioning. The changes improve production readiness by removing testnet fallbacks, optimizing event queries, and clarifying system architecture.

Changes:

Migrated rate-limit middleware from deprecated onLimitReached to handler callback in express-rate-limit v8
Optimized blockchain event queries by replacing fromBlock: 0 with configurable starting block (REGISTRY_START_BLOCK env var or last 1M blocks)
Removed implicit testnet RPC URL fallbacks across all services, CLI scripts, and API routes to enforce explicit configuration

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
test/middleware/rate-limit.test.ts	Updated tests for rate limit handler to reflect migration from `onLimitReached` callback
scripts/verify.ts	Added RPC_URL validation with explicit error for CLI script
scripts/utils/block-range.util.ts	New utility function for calculating safe blockchain query start blocks
scripts/services/verification-queue.service.ts	Replaced `fromBlock: 0` with `getStartBlock()` for optimized event queries
scripts/services/registry.service.ts	Removed testnet fallback, added explicit RPC_URL validation
scripts/services/blockchain.service.ts	Removed testnet fallback from provider creation
scripts/routes/verification-jobs.routes.ts	Applied block range optimization to verification job route
scripts/routes/v1/verify.routes.ts	Added 503 responses when RPC_URL not configured
scripts/routes/health.routes.ts	Enhanced health check to report RPC_URL configuration status
scripts/register.ts	Added RPC_URL validation to registration CLI script
scripts/middleware/rate-limit.middleware.ts	Migrated from deprecated `onLimitReached` to `handler` with integrated logging
scripts/make-proof.ts	Applied block range optimization and added RPC_URL validation
prisma/schema.prisma	Added comprehensive documentation explaining dual generator setup
docker-compose.yml	Pinned Redis image from `redis:7-alpine` to `redis:7.2-alpine`
docker-compose.staging.yml	Pinned Redis image version for staging environment
docker-compose.production.yml	Pinned Redis image version for production environment
.env.example	Updated RPC_URL documentation and added REGISTRY_START_BLOCK configuration

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

## Pull request overview This PR addresses five production hardening issues related to deprecated APIs, blockchain query performance, configuration safety, documentation clarity, and Docker image versioning. The changes improve production readiness by removing testnet fallbacks, optimizing event queries, and clarifying system architecture. **Changes:** - Migrated rate-limit middleware from deprecated `onLimitReached` to `handler` callback in express-rate-limit v8 - Optimized blockchain event queries by replacing `fromBlock: 0` with configurable starting block (REGISTRY_START_BLOCK env var or last 1M blocks) - Removed implicit testnet RPC URL fallbacks across all services, CLI scripts, and API routes to enforce explicit configuration ### Reviewed changes Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment. <details> <summary>Show a summary per file</summary> | File | Description | | ---- | ----------- | | test/middleware/rate-limit.test.ts | Updated tests for rate limit handler to reflect migration from `onLimitReached` callback | | scripts/verify.ts | Added RPC_URL validation with explicit error for CLI script | | scripts/utils/block-range.util.ts | New utility function for calculating safe blockchain query start blocks | | scripts/services/verification-queue.service.ts | Replaced `fromBlock: 0` with `getStartBlock()` for optimized event queries | | scripts/services/registry.service.ts | Removed testnet fallback, added explicit RPC_URL validation | | scripts/services/blockchain.service.ts | Removed testnet fallback from provider creation | | scripts/routes/verification-jobs.routes.ts | Applied block range optimization to verification job route | | scripts/routes/v1/verify.routes.ts | Added 503 responses when RPC_URL not configured | | scripts/routes/health.routes.ts | Enhanced health check to report RPC_URL configuration status | | scripts/register.ts | Added RPC_URL validation to registration CLI script | | scripts/middleware/rate-limit.middleware.ts | Migrated from deprecated `onLimitReached` to `handler` with integrated logging | | scripts/make-proof.ts | Applied block range optimization and added RPC_URL validation | | prisma/schema.prisma | Added comprehensive documentation explaining dual generator setup | | docker-compose.yml | Pinned Redis image from `redis:7-alpine` to `redis:7.2-alpine` | | docker-compose.staging.yml | Pinned Redis image version for staging environment | | docker-compose.production.yml | Pinned Redis image version for production environment | | .env.example | Updated RPC_URL documentation and added REGISTRY_START_BLOCK configuration | </details> --- 💡 <a href="/subculture-collective/internet-id/new/main/.github/instructions?filename=*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.

scripts/utils/block-range.util.ts

						
				@@ -0,0 +37,4 @@

				  // Default to last 1 million blocks (avoids full chain scan while being comprehensive)

				  const currentBlock = await provider.getBlockNumber();

				  return Math.max(0, currentBlock - 1000000);

				}

copilot-pull-request-reviewer[bot] (Migrated from github.com) commented

2026-02-15 23:22:25 -06:00

The new getStartBlock utility function lacks test coverage. Other utilities in this codebase have corresponding test files (e.g., error-response.util.test.ts). This function involves important logic including environment variable parsing and blockchain interaction that should be tested to ensure correct behavior with different REGISTRY_START_BLOCK values and edge cases.

The new `getStartBlock` utility function lacks test coverage. Other utilities in this codebase have corresponding test files (e.g., `error-response.util.test.ts`). This function involves important logic including environment variable parsing and blockchain interaction that should be tested to ensure correct behavior with different REGISTRY_START_BLOCK values and edge cases.

PatrickFanella commented

2026-02-16 19:12:29 -06:00

(Migrated from github.com)

@copilot apply changes based on the comments in this thread

@copilot apply changes based on the comments in [this thread](https://github.com/subculture-collective/internet-id/pull/134#pullrequestreview-3806680163)

copilot-swe-agent[bot] (Migrated from github.com) reviewed 2026-02-16 19:23:24 -06:00

scripts/utils/block-range.util.ts

						
				@@ -0,0 +37,4 @@

				  // Default to last 1 million blocks (avoids full chain scan while being comprehensive)

				  const currentBlock = await provider.getBlockNumber();

				  return Math.max(0, currentBlock - 1000000);

				}

copilot-swe-agent[bot] (Migrated from github.com) commented

2026-02-16 19:23:24 -06:00

Added comprehensive test coverage in commit 6d484b2. The new test file includes 15 test cases covering:

Valid REGISTRY_START_BLOCK values (positive numbers, zero, large values)
Invalid inputs (NaN, negative numbers, empty strings)
Default fallback behavior (current block - 1M)
Edge cases (low block numbers, decimals, whitespace, provider errors)

Tests follow the same pattern as error-response.util.test.ts with proper setup/teardown and environment variable handling.

Added comprehensive test coverage in commit 6d484b2. The new test file includes 15 test cases covering: - Valid REGISTRY_START_BLOCK values (positive numbers, zero, large values) - Invalid inputs (NaN, negative numbers, empty strings) - Default fallback behavior (current block - 1M) - Edge cases (low block numbers, decimals, whitespace, provider errors) Tests follow the same pattern as error-response.util.test.ts with proper setup/teardown and environment variable handling.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: subculture-collective/internet-id#134

Production hardening: Remove deprecations, optimize chain queries, enforce explicit configuration #134

Changes

1. Rate limit middleware (express-rate-limit v8)

2. Blockchain event queries

3. RPC URL configuration

4. Prisma schema documentation

5. Docker images

Testing

Items

1. onLimitReached deprecation in rate-limit middleware

2. fromBlock: 0 in event queries

3. Hardcoded testnet RPC fallback

4. Dual Prisma generator fragility

5. Docker Compose Redis version

Acceptance Criteria

Comments on the Issue (you are @copilot in this section)

Pull request overview

Reviewed changes

1. `onLimitReached` deprecation in rate-limit middleware

2. `fromBlock: 0` in event queries