Staging and test URLs are removed from codebase

A hardcoded http://localhost:3000/api shipped to production either fails outright (CORS blocked, connection refused) or — worse — routes real user traffic to a developer laptop if that port happens to tunnel out via ngrok. Staging URLs like api-staging.yourdomain.com bypass production rate limits, log into the wrong database, and can leak real user PII into non-production systems outside your audit scope.

Grep the codebase for localhost:, 127.0.0.1, and any staging./dev./preview. subdomain patterns outside test files. Replace each with a process.env.NEXT_PUBLIC_* read, and set the production value in your hosting platform's environment config. Double-check webhook URLs in Stripe, Supabase, and any third-party dashboards — those live outside the repo and are easy to miss.

// lib/config.ts
const API_URL = process.env.NEXT_PUBLIC_API_URL
if (!API_URL) throw new Error('NEXT_PUBLIC_API_URL is required')

• ID: pre-launch.final-verification.staging-urls-removed

• Severity: info

• What to look for: Count all URL references in the codebase. Enumerate any that point to staging, localhost, or development domains instead of the production domain. Search source code for localhost URLs, staging environment URLs, and test service endpoints that should not be present in production code. Look for: http://localhost, 127.0.0.1, staging domain patterns (staging., dev., test., preview. subdomains), hardcoded development API endpoints, or commented-out production URL switches. Check API client initializations and service configurations for hardcoded non-production URLs.

• Pass criteria: No hardcoded localhost, staging, or test URLs found in production code paths. All URLs are either environment variables or relative paths. Zero staging or localhost URLs in production code (excluding development-only config files).

• Fail criteria: Hardcoded localhost URLs or staging domain URLs found in non-test production code files.

• Scope: This check evaluates source code files only (.ts, .tsx, .js, .jsx, .mjs, .cjs, configuration files like next.config.ts). Environment variable files (.env, .env.local, .env.production, etc.) are the exclusive domain of the env-vars-production check and should NOT be evaluated here. If a staging/localhost URL appears only in .env* files but not in source code, this check passes — the issue will be caught by env-vars-production instead.

• Skip (N/A) when: Never — this applies to all projects.

• Cross-reference: For test data removal, see test-data-removed. For environment variables, see env-vars-production.

• Detail on fail: "Hardcoded localhost or staging URLs found in production code — API calls may fail or route to test systems in production"

• Remediation: Hardcoded localhost or staging URLs cause production API calls to fail silently or, worse, route to your development environment:

  // lib/config.ts — ensure production URLs
  const BASE_URL = process.env.NEXT_PUBLIC_BASE_URL  // Must be https://yourdomain.com in production
  

  1. Search for localhost references: look for localhost: patterns in source files, excluding test files and comments.
  2. Replace all hardcoded URLs with environment variables:

     // Before (WRONG):
     const API_URL = 'http://localhost:3000/api'
     
     // After (CORRECT):
     const API_URL = process.env.NEXT_PUBLIC_API_URL
     

  3. Ensure NEXT_PUBLIC_API_URL (or equivalent) in your production environment configuration points to your real production API.
  4. Check third-party service initialization files for any hardcoded staging webhook URLs or test endpoints.