fix(env): read critical runtime flags via readServerEnv for Netlify SSR

- switch admin feature flag resolution in locale layout to readServerEnv
- update admin guard to use readServerEnv(ENABLE_ADMIN_API)
- update shop status token secret read to readServerEnv
- extend generated runtime fallback allowlist with:
  ENABLE_ADMIN_API, NEXT_PUBLIC_ENABLE_ADMIN, SHOP_STATUS_TOKEN_SECRET
- preserve Vercel-safe runtime-env.generated.ts stub import flow

Author: LesiaUKR

frontend/app/[locale]/layout.tsx

@@ -13,6 +13,7 @@ import { ThemeProvider } from '@/components/theme/ThemeProvider';
 import { getCachedBlogCategories } from '@/db/queries/blog/blog-categories';
 import { AuthProvider } from '@/hooks/useAuth';
 import { locales } from '@/i18n/config';
+import { readServerEnv } from '@/lib/env/server-env';
 
 export default async function LocaleLayout({
   children,
@@ -32,8 +33,8 @@ export default async function LocaleLayout({
 
   const enableAdmin =
     (
-      process.env.ENABLE_ADMIN_API ??
-      process.env.NEXT_PUBLIC_ENABLE_ADMIN ??
+      readServerEnv('ENABLE_ADMIN_API') ??
+      readServerEnv('NEXT_PUBLIC_ENABLE_ADMIN') ??
       ''
     ).toLowerCase() === 'true';
 

frontend/lib/auth/admin.ts

@@ -1,6 +1,7 @@
 import 'server-only';
 
 import type { NextRequest } from 'next/server';
+import { readServerEnv } from '@/lib/env/server-env';
 
 import { getCurrentUser } from '@/lib/auth';
 
@@ -31,7 +32,7 @@ export class AdminForbiddenError extends Error {
 export function assertAdminApiEnabled(): void {
   if (
     process.env.NODE_ENV === 'production' &&
-    process.env.ENABLE_ADMIN_API !== 'true'
+    readServerEnv('ENABLE_ADMIN_API') !== 'true'
   ) {
     throw new AdminApiDisabledError();
   }

frontend/lib/env/server-env.ts

@@ -41,6 +41,9 @@ const GENERATED_FALLBACK_KEYS = new Set([
   'GITHUB_CLIENT_ID_DEVELOP',
   'GITHUB_CLIENT_SECRET_DEVELOP',
   'GITHUB_CLIENT_REDIRECT_URI_DEVELOP',
+  'ENABLE_ADMIN_API',
+  'NEXT_PUBLIC_ENABLE_ADMIN',
+  'SHOP_STATUS_TOKEN_SECRET',
 ]);
 
 

frontend/lib/shop/status-token.ts

@@ -1,4 +1,5 @@
 import crypto from 'node:crypto';
+import { readServerEnv } from '@/lib/env/server-env';
 
 export const STATUS_TOKEN_SCOPES = [
   'status_lite',
@@ -27,7 +28,7 @@ type TokenPayload = {
 const DEFAULT_TTL_SECONDS = 45 * 60;
 
 function getSecret(): string {
-  const raw = process.env.SHOP_STATUS_TOKEN_SECRET ?? '';
+  const raw = readServerEnv('SHOP_STATUS_TOKEN_SECRET') ?? '';
   const trimmed = raw.trim();
   if (!trimmed) {
     throw new Error('SHOP_STATUS_TOKEN_SECRET is not configured');