feat(mercury): egress_profile indirection for static-IP relay routing

[chitcommit]

What

Introduces an egress_profile indirection for the Mercury banking proxy so calls can route through a static-IP relay without further code changes once the egress node exists. Mercury per-token IP allowlisting is why chicago / it-can-be get 401 from Cloudflare's shared egress; the fix is to send Mercury calls out through one static IP. This makes ChittyConnect ready for that relay — it does not build the egress node (blocked on key-management authority).

How

mercuryFetch now honors an active egress profile resolved per-request:

• direct (default) — unchanged. Hits api.mercury.com directly with Authorization: Bearer, byte-for-byte the legacy request shape. Preserves today's working aribia path.
• relay — POSTs to MERCURY_EGRESS_URL with the Mercury token as X-Mercury-Token plus CF-Access-Client-Id / CF-Access-Client-Secret service-token headers so the relay is Access-locked. The relay envelope carries { method, path, body } with a relative path only — api.mercury.com host-allowlisting is preserved structurally (caller can never redirect to another host). Token stays in Secrets (Option A), transits as a header, never stored on the relay.
• Fail closed — if relay is selected but MERCURY_EGRESS_URL is unset, buildEgressRequest throws. No silent fallback to direct (that would mask misconfig and leak the shared egress IP).

Profile selection: global MERCURY_EGRESS_PROFILE (default direct) with optional per-slug override MERCURY_EGRESS_PROFILE_<SLUG>, mirroring getMercuryToken's existing env convention. No DB table — env suffices for 7 entities, structured so a mercury_connection { entity_id, egress_profile_id, allowed_hosts[], account_ids[] } record maps cleanly later.

Files

• src/api/routes/thirdparty.js — resolveEgressProfile + pure buildEgressRequest extracted; mercuryFetch takes an egress arg; requireMercuryToken stashes mercuryEgress; 4 call sites updated (accounts, account, transactions, refresh).
• tests/api/thirdparty-mercury-egress.test.js — 14 mock-free unit tests (no vi.mock): profile selection, per-slug override, header construction, fail-closed, direct-shape preservation, token-not-in-body. Relay HTTP round-trip deferred to an integration test once the egress node is provisioned (noted in-file).
• wrangler.jsonc — MERCURY_EGRESS_PROFILE/MERCURY_EGRESS_URL as non-secret vars (default direct/empty) across dev/staging/prod; MERCURY_EGRESS_ACCESS_CLIENT_ID/_SECRET as Secrets Store bindings mirroring the MERCURY_OIDC_* block.

Validation

• npx vitest run tests/api/thirdparty-mercury-egress.test.js → 14 passed
• Existing thirdparty-neon + thirdparty-notion-aliases → 6 passed (no regression)
• eslint src/api/routes/thirdparty.js → clean
• wrangler.jsonc → valid JSONC

The ONE config change to activate (once the egress node exists)

Set, per the credential hierarchy:

• vars: MERCURY_EGRESS_PROFILE=relay, MERCURY_EGRESS_URL=https://<egress-node>/mercury
• Secrets Store: MERCURY_EGRESS_ACCESS_CLIENT_ID, MERCURY_EGRESS_ACCESS_CLIENT_SECRET (Cloudflare Access service token for the relay)

No code change. direct remains the default until then.

Not in scope (blocked / out of lane)

Egress node provisioning and credential sweep/rotation — both require authority this workstream does not hold.

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	chittyconnect	83ccb47	Jun 16 2026, 05:12 PM

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Warning

Review limit reached

@chitcommit, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 24 minutes and 41 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9b4d198e-e313-4203-b151-b6a8e9b65b9a

📥 Commits

Reviewing files that changed from the base of the PR and between c27eab2 and 83ccb47.

📒 Files selected for processing (3)

• src/api/routes/thirdparty.js
• tests/api/thirdparty-mercury-egress.test.js
• wrangler.jsonc

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch mercury-egress-profile

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds an egress-profile indirection to the Mercury proxy so Mercury API calls can be routed either directly (current behavior) or via a future static-IP relay without further code changes, plus configuration scaffolding and unit tests.

Changes:

• Adds resolveEgressProfile + buildEgressRequest and threads the resolved egress profile through Mercury route handlers.
• Introduces a relay request envelope ({ method, path, body }) and Cloudflare Access service-token headers for relay authentication.
• Adds unit tests for profile selection and request construction; updates wrangler.jsonc vars/secrets bindings for the new egress config.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
src/api/routes/thirdparty.js	Adds egress profile resolution + request construction and wires Mercury handlers to use it.
tests/api/thirdparty-mercury-egress.test.js	Adds unit tests covering egress profile selection and direct/relay request shapes.
wrangler.jsonc	Adds egress vars defaults and Secrets Store bindings for relay Access credentials across envs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chitcommit]

Note on MERCURY_EGRESS_URL: this value is operator-controlled (set via wrangler vars/secrets, never caller-supplied) and is intentionally not host-validated — acceptable under the operator-trust model, the same trust boundary as any other deployment config. The caller-supplied path is now validated (see resolved thread) since that is the only attacker-influenced input that reaches the relay envelope.