fix(ci): Staging calls production API — NEXT_PUBLIC_API_BASE_URL baked in at build time

[github-actions]

Summary

The workflow bakes NEXT_PUBLIC_API_BASE_URL=https://api.cognitivemesh.io into the client bundle via Docker build-args, then promotes the same image to both staging and production. Because Next.js inlines NEXT_PUBLIC_* variables at build time, staging can never override this value at runtime and will always call the production API endpoint.

Affected file

.github/workflows/deploy-frontend.yml — lines 97-99

Required fix

Either:

1. Create separate build jobs per environment, each passing environment-specific NEXT_PUBLIC_API_BASE_URL; or
2. Move API configuration to runtime (e.g., server-side config endpoint, SSR context, or non-NEXT_PUBLIC_ env var read server-side and exposed to the client).

References

• PR Phase 16: Remaining widgets, role-based UI, frontend tests #361 review: Phase 16: Remaining widgets, role-based UI, frontend tests #361 (comment)
• Severity: 🔴 Critical

[blocksorg]

Mention Blocks like a regular teammate with your question or request:

@blocks can you add technical details to this issue?
@blocks make the following changes ...
@blocks create an issue from what was mentioned in the following comment ...
@blocks explain the following code ...
@blocks are there any security or performance concerns?

Run @blocks /help for more information.

Workspace settings | Disable this message