Created
Jun 24, 05:09
Started
Jun 24, 05:09
Completed
Jun 24, 06:40
DevOps handoff
Type
Bug
Shape
backend
Worktree Slug
fix-ipinfo-geocoder-https
Repositories
turf-monster
Release Train
—
Branch
feat/fix-ipinfo-geocoder-https
Pull Request
https://github.com/amcritchie/turf-monster/pull/162Acceptance Criteria
Expected Test Plan
Checks Run
Agent Context
ROOT CAUSE (verified live on turf-monster-mainnet): Geocoder 1.8.6 has use_https=false, so the :ipinfo_io lookup builds http://ipinfo.io/<ip>/geo. ipinfo now 301-redirects http->https with an empty/HTML body; Geocoder does not follow it -> 'response was not valid JSON' -> no result. detect_geo_state then leaves geo_state blank and geo_country defaults to 'US', so (a) Cdp::Catalog#available? fails closed (US && subdivision.nil? => false) producing 'Buying USDC via Coinbase isn't available in your region yet' for ALL US users, and (b) GeoSetting.blocked?(nil) returns false so the WA/ID/MT/LA/AZ/HI/NV/CA legal blocklist silently stops enforcing. CDP integration itself is healthy (onramp_available?(US,CA)/(US,CO)=true, buy/config+buy/options=200 with USDC, key decodes to 64 bytes). FIX: set use_https: true in config/initializers/geocoder.rb (proven: with use_https:true the dyno lookup returns country=US region=California). No ipinfo token needed (raw API works from Heroku IP; lookups cached per session). Operator chose: one-line fix only, PR-only handoff (do NOT deploy to mainnet).
Stage Timeline
Who handled each stage, the time it took (measured), and the model / tokens / cost reported (best-effort) — plus who's on it right now. — means the agent didn't report that metric.
Conversation
QA review feedback, agent handoffs, and follow-up notes for this task.
Review cascade: 2/2 senior approvals. Carl (HEAVY/backend) — verified use_https flips query_url http→https in-process, all 4 acceptance criteria met, regression test confirmed non-tautological (red on http), 5 tests green locally. Shannon (LIGHT) — scoped, clean, all CI green. Non-blocking follow-up (Carl): geo fails OPEN for the state blocklist when indeterminate + detect_geo_state warns instead of ErrorLog — separate task.
Review cascade (3 reviewers, compliance-sensitive): carl[heavy] APPROVE — verified gem source flips ipinfo query_url to https, ran both test files 5/10 green, single call site, no side effects. shannon[light] APPROVE — fix scoped, comment accurate, tests exercise real detect_geo_state->normalize->GeoSetting pipeline. jasper[compliance] APPROVE — blocklist genuinely re-enforces, CDP fails-closed, strictly an improvement. CI all green incl playwright x3, mergeable.
ROLLOUT NOTES (carl+jasper, for Steffon/operator at prod ship): (1) Fix only enforces whatever is in the prod geo_settings row — find_or_create_by! won't auto-add CA; verify prod banned_states includes CA + row enabled via /admin/geo before relying on it. (2) Sessions cache geo_state 24h; /geo/check forces fresh detection so it self-heals on next contest page view — transient only. FOLLOW-UP (jasper, separate task): legal blocklist fails OPEN when US+state-undetectable (VPN/ipinfo-outage); make require_geo_allowed fail closed for US+blank-state. Not introduced by this fix (status quo was always-open); tracked separately.
Conductor note: task was adopted onto an already-ASSEMBLED RC (rel-20260624-a59e5f). release.add via the reopen! path set release_slug but left stage=reviewed (should be assembled); subsequent adopt! calls no-op'd because membership already existed. Manually moved reviewed->assembled to match reality (genuinely a QA-deployed member, fix verified live). Filed conductor bug as adopt-onto-assembled-stage-stuck.
QA PASS on qa.turfmonster.media (Steffon): use_https=true on the deployed dyno, Geocoder.search resolves country=US region=California (was nil), /geo/check returns a real state code, all 3 RC members boot. Held at operator ship gate — release rel-20260624-a59e5f stays assembled on QA; prod not shipped per operator.
Sealed-bid sizing
Edit →Alex (PM)
—
Avi (PO)
—
Dev
—
Actual
—
We emailed a one-tap sign-in link to . It expires shortly and can only be used once.
No email? Check spam, or close this and try again.
