Runbook: Track B — Set FRONTEND_ORIGIN on raxx-api-prod and raxx-api-staging
Issue: #1021 (Track B, B1)
ADR: 0047
Parent epic: #94
Purpose
Set the FRONTEND_ORIGIN Heroku config-var so CORS permits requests from
https://raxx.app on prod and https://raxx-app.pages.dev on staging.
No code change is required. backend_v2/api/__init__.py already reads this
env var on startup (fallback: http://localhost:3000) and passes it to
flask_cors.CORS(origins=...).
Operator commands
heroku config:set FRONTEND_ORIGIN=https://raxx.app -a raxx-api-prod >/dev/null 2>&1
heroku config:set FRONTEND_ORIGIN=https://raxx-app.pages.dev -a raxx-api-staging >/dev/null 2>&1
Stdout is silenced per ops convention (secrets-echo prevention); the exit code signals success or failure.
Verification
After setting the config-var on each app, confirm with:
heroku config:get FRONTEND_ORIGIN -a raxx-api-prod
heroku config:get FRONTEND_ORIGIN -a raxx-api-staging
To verify the CORS header end-to-end on prod:
curl -si -X OPTIONS https://api.raxx.app/api/system/status \
-H "Origin: https://raxx.app" \
-H "Access-Control-Request-Method: GET" \
| grep -i "access-control-allow-origin"
Expected: access-control-allow-origin: https://raxx.app
For staging substitute https://raxx-app.pages.dev as the Origin value and
target the staging API hostname.
Rollback
Remove the config-var to revert to the http://localhost:3000 fallback:
heroku config:unset FRONTEND_ORIGIN -a raxx-api-prod >/dev/null 2>&1
Note: removing the var on prod re-blocks all raxx.app customers. Only do this as an emergency kill-switch if the wired CORS is causing an incident.
Sequence context
This is B1 in the Track B launch sequence. Subsequent steps depend on B1 being complete:
| Step | Issue | Depends on |
|---|---|---|
| B1 | #1021 | — (entry point) |
| B2 | #1022 | B1 |
| B3 | #1023 | B1 + B2 |
| B5 | #1025 | B1 + B2 + B3 |
| B6 | #1026 | B5 |