From 87313ecca50b132636895a510742544e5d687252 Mon Sep 17 00:00:00 2001
From: Rohil Surana <rohilsurana96@gmail.com>
Date: Thu, 30 Apr 2026 14:06:00 +0530
Subject: [PATCH 1/3] fix(admin): stop leaking entire process.env into client
 bundle

The vite define block `"process.env": process.env` injects every
environment variable from the build machine into the production JS
bundle. This exposes secrets, internal URLs, and system paths to
any user who loads the admin app.

Replace with explicit allowlist of the single env var the app uses.
---
 web/apps/admin/vite.config.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/web/apps/admin/vite.config.ts b/web/apps/admin/vite.config.ts
index 4ad4fda40..a2b2341d6 100644
--- a/web/apps/admin/vite.config.ts
+++ b/web/apps/admin/vite.config.ts
@@ -65,7 +65,9 @@ export default defineConfig(() => {
       dedupe: ["react", "react-dom", "@tanstack/react-query", "@connectrpc/connect-query"],
     },
     define: {
-      "process.env": process.env,
+      "process.env.NEXT_PUBLIC_FRONTIER_CONNECT_URL": JSON.stringify(
+        process.env.NEXT_PUBLIC_FRONTIER_CONNECT_URL || ""
+      ),
     },
   };
 });

From ca7b62e35ec4ad129bcb14e1b8940ef6b49ab459 Mon Sep 17 00:00:00 2001
From: Rohil Surana <rohilsurana96@gmail.com>
Date: Thu, 30 Apr 2026 14:09:45 +0530
Subject: [PATCH 2/3] fix(admin): add FRONTIER_API_URL and
 FRONTIER_CONNECTRPC_URL to allowlist

---
 web/apps/admin/vite.config.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/web/apps/admin/vite.config.ts b/web/apps/admin/vite.config.ts
index a2b2341d6..0e14f3292 100644
--- a/web/apps/admin/vite.config.ts
+++ b/web/apps/admin/vite.config.ts
@@ -68,6 +68,12 @@ export default defineConfig(() => {
       "process.env.NEXT_PUBLIC_FRONTIER_CONNECT_URL": JSON.stringify(
         process.env.NEXT_PUBLIC_FRONTIER_CONNECT_URL || ""
       ),
+      "process.env.FRONTIER_API_URL": JSON.stringify(
+        process.env.FRONTIER_API_URL || ""
+      ),
+      "process.env.FRONTIER_CONNECTRPC_URL": JSON.stringify(
+        process.env.FRONTIER_CONNECTRPC_URL || ""
+      ),
     },
   };
 });

From 624587b021e9af8dc0ecb7b1a6235dbba8c43352 Mon Sep 17 00:00:00 2001
From: Rohil Surana <rohilsurana96@gmail.com>
Date: Thu, 30 Apr 2026 15:04:57 +0530
Subject: [PATCH 3/3] fix(admin): remove unused frontier-api proxy and
 FRONTIER_API_URL define

---
 web/apps/admin/vite.config.ts | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/web/apps/admin/vite.config.ts b/web/apps/admin/vite.config.ts
index 0e14f3292..3a47c76ad 100644
--- a/web/apps/admin/vite.config.ts
+++ b/web/apps/admin/vite.config.ts
@@ -42,11 +42,6 @@ export default defineConfig(() => {
     },
     server: {
       proxy: {
-        "/frontier-api": {
-          target: process.env.FRONTIER_API_URL,
-          changeOrigin: true,
-          rewrite: (path) => path.replace(/^\/frontier-api/, ""),
-        },
         "/frontier-connect": {
           target: process.env.FRONTIER_CONNECTRPC_URL,
           changeOrigin: true,
@@ -68,9 +63,6 @@ export default defineConfig(() => {
       "process.env.NEXT_PUBLIC_FRONTIER_CONNECT_URL": JSON.stringify(
         process.env.NEXT_PUBLIC_FRONTIER_CONNECT_URL || ""
       ),
-      "process.env.FRONTIER_API_URL": JSON.stringify(
-        process.env.FRONTIER_API_URL || ""
-      ),
       "process.env.FRONTIER_CONNECTRPC_URL": JSON.stringify(
         process.env.FRONTIER_CONNECTRPC_URL || ""
       ),