fix: use pnpm, add prisma generate to build, fix cache headers

[support371]

Summary

Fixes deployment configuration and dangerous caching behavior that prevented the site from being fully operational.

Changes

vercel.json

• Install command: Changed from npm install to pnpm install --frozen-lockfile (per project rules — pnpm is the required package manager)
• Build command: Changed from npm run build to pnpm run db:generate && pnpm run build (ensures Prisma client is generated before build)
• Dev command: Changed from npm run dev to pnpm dev
• Removed API cache headers that were publicly caching auth endpoints (Cache-Control: public, max-age=60, s-maxage=120 on /api/*)
• Removed duplicate security headers (now consolidated in next.config.js)

next.config.js

• Removed Cache-Control: public, max-age=31536000, immutable on ALL routes — this was caching HTML pages for 1 year in browsers, preventing users from seeing deployment updates
• Added security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) consolidated from vercel.json
• Set API routes to Cache-Control: no-store — auth and session endpoints must never be cached

Root Cause of Errors

The primary reason the site is not fully operational is the PostgreSQL database is not connected. The /api/health endpoint returns {"status":"degraded","services":{"database":"error"}}. This breaks:

• Login (/api/auth/login → 500)
• Dashboard data
• KYC workflow
• All admin features
• Audit logging

Required action: Set POSTGRES_PRISMA_URL and POSTGRES_URL_NON_POOLING environment variables in Vercel project settings. Provision a PostgreSQL database (Neon, Supabase, or Vercel Postgres) and run pnpm run db:push to initialize the schema.

Verification

• pnpm install --frozen-lockfile ✓
• pnpm run db:generate ✓
• pnpm build ✓ (158 routes, 0 errors)
• pnpm test ✓ (100/100 tests pass)

Files Changed

• vercel.json
• next.config.js

Summary by Sourcery

Update deployment and runtime configuration to use pnpm, fix Prisma generation in the build, and correct HTTP caching and security headers for the app and API routes.

Enhancements:

• Adjust global HTTP headers to remove overly aggressive caching and add standard security headers for all routes.
• Set API route caching to no-store to prevent sensitive auth and session responses from being cached.

Build:

• Switch Vercel install and build commands to pnpm and ensure Prisma client generation runs before the Next.js build.

[vercel]

Deployment failed with the following error:

The `vercel.json` schema validation failed with the following message: should NOT have additional property `nodejs`

Learn More: https://vercel.com/docs/concepts/projects/project-configuration

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates deployment and runtime configuration to use pnpm, ensure Prisma generation runs before builds, and fix dangerous caching by removing overly aggressive public cache headers and consolidating security headers in next.config.js, with API routes now explicitly marked as no-store.

Sequence diagram for API request with updated no-store caching

sequenceDiagram
  actor User
  participant Browser
  participant VercelServer
  participant NextApiRoute as NextAPI_Route
  participant Database as PostgreSQL_DB

  User->>Browser: Navigate to /api/auth/login
  Browser->>VercelServer: HTTP request /api/auth/login
  VercelServer->>NextApiRoute: Invoke handler for /api/auth/login
  NextApiRoute->>Database: Query user/session data
  Database-->>NextApiRoute: Result or error
  NextApiRoute-->>VercelServer: Response body
  VercelServer-->>Browser: Response with Cache-Control: no-store
  Browser->>Browser: Do not cache response

Loading

File-Level Changes

Change	Details	Files
Switch build/dev tooling to pnpm and ensure Prisma client is generated before builds.	Change Vercel install command from npm install to pnpm install --frozen-lockfile to align with project’s package manager Change Vercel build command to run pnpm run db:generate before pnpm run build so Prisma client is available at build time Change Vercel dev command from npm run dev to pnpm dev for local/preview runs	vercel.json
Fix unsafe caching behavior and centralize security/caching headers in Next.js config.	Remove global Cache-Control: public, max-age=31536000, immutable header on all routes to avoid year-long HTML caching in browsers Add security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) to the default header set in Next.js Tighten API route caching by setting Cache-Control: no-store for /api/:path* so auth/session endpoints are never cached Remove public cache headers for /api/* and duplicate security headers from vercel.json in favor of next.config.js definitions	next.config.js vercel.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gem-enterprise	Error		May 10, 2026 5:34am

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Consider applying more granular cache-control headers instead of removing the global long-term cache entirely, so that truly static assets (e.g. /_next/static, images) can still be cached aggressively while HTML and dynamic content remain uncached.
• You’ve set Cache-Control: no-store on all /api/:path* routes; if there are non-sensitive, read-only endpoints that would benefit from caching, consider scoping no-store to only auth/session-related routes and applying more permissive policies elsewhere.
• Review whether X-Frame-Options: SAMEORIGIN matches the intended embedding behavior for this app; if the UI is never meant to be framed, DENY would be stricter, and if some routes must be embeddable, you may need route-specific header overrides.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider applying more granular cache-control headers instead of removing the global long-term cache entirely, so that truly static assets (e.g. /_next/static, images) can still be cached aggressively while HTML and dynamic content remain uncached.
- You’ve set `Cache-Control: no-store` on all `/api/:path*` routes; if there are non-sensitive, read-only endpoints that would benefit from caching, consider scoping `no-store` to only auth/session-related routes and applying more permissive policies elsewhere.
- Review whether `X-Frame-Options: SAMEORIGIN` matches the intended embedding behavior for this app; if the UI is never meant to be framed, `DENY` would be stricter, and if some routes must be embeddable, you may need route-specific header overrides.

## Individual Comments

### Comment 1
<location path="next.config.js" line_range="57-62" />
<code_context>
+  // Headers for performance and security
   async headers() {
     return [
       {
         source: '/:path*',
         headers: [
-          {
-            key: 'Cache-Control',
-            value: 'public, max-age=31536000, immutable',
-          },
           {
</code_context>
<issue_to_address>
**suggestion (performance):** Consider reintroducing long-lived caching for static assets instead of removing the global Cache-Control header entirely.

Removing `Cache-Control` for `/:path*` will reduce browser/CDN caching of JS, CSS, and images, likely hurting performance and increasing bandwidth. If the goal is to relax caching for HTML or certain dynamic routes, consider narrowing the scope instead (e.g., keep long-lived caching on `/static/:path*`, `/_next/static/:path*`, etc.) while using less aggressive headers for dynamic content.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (performance): Consider reintroducing long-lived caching for static assets instead of removing the global Cache-Control header entirely.

Removing Cache-Control for /:path* will reduce browser/CDN caching of JS, CSS, and images, likely hurting performance and increasing bandwidth. If the goal is to relax caching for HTML or certain dynamic routes, consider narrowing the scope instead (e.g., keep long-lived caching on /static/:path*, /_next/static/:path*, etc.) while using less aggressive headers for dynamic content.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	gem-enterprise	b88e61f	May 10 2026, 05:37 AM

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b88e61fe12

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid forcing no-store on all API routes

Setting Cache-Control: no-store on /api/:path* applies to every API handler, including the public news feed at src/app/api/intel/news/route.ts that explicitly uses export const revalidate = 60 for minute-level caching. This effectively disables caching for that endpoint, increasing repeated database reads and response latency under traffic; the no-store policy should be limited to sensitive endpoints (auth/session/etc.) or exclude cacheable public APIs.

Useful? React with 👍 / 👎.