Guard Litestream to production so preview envs can't clobber prod R2 (#2)

Mirrors frontdesk/norblom/bloomcrawl. start.sh ran 'litestream replicate' unconditionally; a Railway PR-preview env clones prod R2_* creds and would replicate its writes back over the prod backup. Gate on RAILWAY_ENVIRONMENT_NAME: only production runs Litestream; non-prod runs an ephemeral local DB. Prerequisite for project-wide prDeploys.
2 weeks ago · 2ba9dc2ec1
parent 09647afe3d
commit 2ba9dc2ec1
1 changed files with 11 additions and 0 deletions
--- a/scripts/start.sh
+++ b/scripts/start.sh
@ -2,6 +2,17 @@
 set -e
 DB=/data/docuseal/db.sqlite3
 mkdir -p /data/docuseal
+
+# Litestream replicates to the prod R2 path (litestream.yml). Only production may
+# touch it. A Railway PR-preview / staging env clones production's R2_* creds, so
+# without this guard it would restore prod data and replicate its own writes back
+# over the prod backup — silent data loss. Non-prod envs run an ephemeral local
+# DB, no R2.
+if [ "$RAILWAY_ENVIRONMENT_NAME" != "production" ]; then
+  echo "[start.sh] env=${RAILWAY_ENVIRONMENT_NAME:-local}: skipping Litestream (ephemeral DB, no R2)."
+  exec /app/bin/bundle exec puma -C /app/config/puma.rb --dir /app
+fi
+
 if [ ! -f "$DB" ]; then
  echo "[start.sh] DB missing — restoring from R2 via litestream..."
  litestream restore -if-replica-exists -config /etc/litestream.yml "$DB" || echo "[start.sh] WARN: restore failed; starting empty."