From f51311caa2b191e273ec7322518caa492e01dbfa Mon Sep 17 00:00:00 2001 From: Arshavir Ter-Gabrielyan Date: Fri, 12 Jun 2026 00:50:27 +0200 Subject: [PATCH 1/3] fix(wallet): only set II derivationOrigin in the production build mode Since the orbit.global domain migration (#520), every IC-hosted build (including playground and testing) sent derivationOrigin 'https://orbitwallet.io' to Internet Identity. II validates the page origin against that domain's /.well-known/ii-alternative-origins, which only lists 'https://app.orbit.global', so logins from playground/testing origins were rejected with 'Unverified origin'. Non-production build modes now authenticate against their own origin, restoring the pre-migration behavior. Co-Authored-By: Claude Fable 5 --- apps/wallet/src/configs/init.config.ts | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/apps/wallet/src/configs/init.config.ts b/apps/wallet/src/configs/init.config.ts index 8e4acc0de..fe68cd8be 100644 --- a/apps/wallet/src/configs/init.config.ts +++ b/apps/wallet/src/configs/init.config.ts @@ -30,7 +30,13 @@ const appInitConfig: AppInitConfig = { isProduction: !!import.meta.env.PROD, apiGatewayUrl: new URL(import.meta.env.PROD ? 'https://icp-api.io' : 'http://localhost:4943'), httpGatewayUrl: getHttpGatewayUrl(import.meta.env.PROD), - derivationOrigin: import.meta.env.PROD ? 'https://orbitwallet.io' : undefined, + // Only the production build mode derives the identity from the legacy domain; other + // IC-hosted build modes (e.g. playground, testing) authenticate against their own origin, + // which is not listed in the production domain's ii-alternative-origins. + derivationOrigin: + import.meta.env.PROD && import.meta.env.APP_BUILD_MODE === 'production' + ? 'https://orbitwallet.io' + : undefined, marketingSiteUrl: import.meta.env.APP_MARKETING_SITE_URL, locale: { default: defaultLocale, From 1237f89b8f8ac03b5018ec12ba1d90c018b560da Mon Sep 17 00:00:00 2001 From: Arshavir Ter-Gabrielyan Date: Fri, 12 Jun 2026 00:50:39 +0200 Subject: [PATCH 2/3] fix(build): make local docker builds reproducible from dirty working trees Two issues broke ./scripts/docker-build.sh on developer machines: - .dockerignore only excluded the repo-root node_modules; Docker patterns are not recursive, so nested installs (apps/wallet, docs, cli) leaked host-specific pnpm symlinks into the build context and corrupted the in-image pnpm install (vite binary missing). Use **/node_modules to exclude them at any depth. - On Apple Silicon, buildx default provenance attestations wrap the image in a manifest list that the subsequent 'docker create' cannot resolve for linux/amd64 ('no match for platform'). Disable them with --provenance=false. Co-Authored-By: Claude Fable 5 --- .dockerignore | 2 +- scripts/docker-build.sh | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.dockerignore b/.dockerignore index 08a21ec97..99535f01b 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,5 +1,5 @@ Dockerfile -node_modules +**/node_modules docs/old dist target diff --git a/scripts/docker-build.sh b/scripts/docker-build.sh index a20b77e4a..41a745d30 100755 --- a/scripts/docker-build.sh +++ b/scripts/docker-build.sh @@ -56,8 +56,9 @@ function deterministic_build() { local project_name=$1 local target=$2 - # Build the canister - docker build --build-arg BUILD_MODE=$BUILD_MODE -t orbit-$project_name --target $target . --platform=linux/amd64 + # Build the canister. Provenance attestations are disabled so the output is a single + # manifest that `docker create` can resolve on non-amd64 hosts (e.g. Apple Silicon). + docker build --build-arg BUILD_MODE=$BUILD_MODE -t orbit-$project_name --target $target . --platform=linux/amd64 --provenance=false # Create a container to extract the generated artifacts docker create --name orbit-$project_name-container orbit-$project_name From a0371b8a0ab20d16d8bb465103ef1e216413a6f4 Mon Sep 17 00:00:00 2001 From: Arshavir Ter-Gabrielyan Date: Fri, 12 Jun 2026 00:50:39 +0200 Subject: [PATCH 3/3] chore: record playground docs_portal canister id Created by scripts/deploy.sh --playground while restoring the wiped playground environment (the control_panel had run out of cycles and lost its module). Key order normalized by dfx. Co-Authored-By: Claude Fable 5 --- canister_ids.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/canister_ids.json b/canister_ids.json index d2ab55095..814602e1b 100644 --- a/canister_ids.json +++ b/canister_ids.json @@ -1,4 +1,7 @@ { + "app_marketing": { + "production": "kguhj-fyaaa-aaaaa-qad6a-cai" + }, "app_wallet": { "playground": "bxkhk-6yaaa-aaaal-ai6va-cai", "production": "5fu67-giaaa-aaaal-ajbla-cai", @@ -9,10 +12,8 @@ "production": "5mxvd-qaaaa-aaaal-ajbkq-cai", "testing": "lotbt-qqaaa-aaaal-aduzq-cai" }, - "app_marketing": { - "production": "kguhj-fyaaa-aaaaa-qad6a-cai" - }, "docs_portal": { + "playground": "d537j-aaaaa-aaaal-asz5q-cai", "production": "bp6mw-eqaaa-aaaac-ahroq-cai" }, "wasm_chunk_store": {