[comp] Production Deploy

[github-actions]

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.

[cursor]

PR Summary

Medium Risk
Touches custom-domain verification and CORS trusted-origin logic, which can impact portal availability and cross-origin auth if verification state is miscomputed or Vercel calls fail.

Overview
Tightens CORS custom-domain allowlisting to include only domainVerified trusts.

Hardens trust-portal custom domain flows by URL-encoding domains in Vercel/networkcalc requests, preventing path injection, ensuring DNS checks only run for the organization’s configured domain, and syncing verification requirements/tokens from live Vercel status.

Updates domain management to remove an old Vercel domain when switching, avoid deleting/re-adding domains already on the project (preserving verification tokens), and only mark domainVerified/publish when Vercel confirms ownership for cross-account domains; the UI now reflects “effectively verified” based on both DB and Vercel and shows the _vercel TXT guidance/value from live Vercel data.

^{Written by Cursor Bugbot for commit c21c656. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
app (staging)	Building		Apr 3, 2026 3:29pm
comp-framework-editor	Ready	Preview, Comment	Apr 3, 2026 3:29pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
portal (staging)	Skipped		Apr 3, 2026 3:29pm

[claudfuen]

🎉 This PR is included in version 3.15.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Stale domainVerified preserved when Vercel status regresses

Medium Severity

In the alreadyOnProject branch, domainVerified is carried over from the DB (line 750–753) and stored in the upsert without considering the fresh Vercel state. If a previously verified domain now has statusData.verified === false (e.g., domain moved to another Vercel account), the DB ends up with domainVerified: true AND isVercelDomain: true simultaneously. The CORS query in auth.server.ts trusts domainVerified: true, so the domain stays in the allow-list even though Vercel can't serve it. The return value needsVerification: false also hides the verification UI from the user.

Additional Locations (1)

• apps/api/src/trust-portal/trust-portal.service.ts#L749-L753