fix(shop): hard-code Shopify store identity to unblock Netlify scanner

Netlify's secrets scanner treats every env var value as sensitive and
fails the build when any of those values appear in the output, with no
semantic awareness of which ones are public. SHOPIFY_STORE_DOMAIN
(tanstack-2.myshopify.com) and SHOPIFY_API_VERSION (2026-01) are
public by design — Shopify prints the domain on every hosted-checkout
URL, order email, and receipt, and the version is a platform-wide
identifier.

Moving both to source constants in src/server/shopify/fetch.ts:
  - Keeps them out of the env-var watchlist entirely (no scan false
    positive, no per-site SECRETS_SCAN_OMIT_KEYS config needed)
  - Makes the store identity explicit in the codebase where the fetch
    helper lives
  - Leaves actual secrets (SHOPIFY_PRIVATE_STOREFRONT_TOKEN) in env

After this change, the only Shopify env var the deploy needs is
SHOPIFY_PRIVATE_STOREFRONT_TOKEN.

Author: tannerlinsley

src/server/shopify/fetch.ts

@@ -1,5 +1,16 @@
 import { env } from '~/utils/env'
 
+/**
+ * Shopify store identity. Hard-coded intentionally — these are public-by-
+ * design values (they appear in every Shopify-hosted checkout URL, order
+ * email, and receipt) and baking them into source keeps them out of the
+ * environment-variable scanner's watchlist without losing any security.
+ *
+ * Only the tokens are real secrets and remain in env vars.
+ */
+const SHOPIFY_STORE_DOMAIN = 'tanstack-2.myshopify.com'
+const SHOPIFY_API_VERSION = '2026-01'
+
 type ShopifyFetchInput<TVariables> = {
   query: string
   variables?: TVariables
@@ -35,13 +46,11 @@ export async function shopifyServerFetch<
   TData,
   TVariables = Record<string, unknown>,
 >(input: ShopifyFetchInput<TVariables>): Promise<TData> {
-  const domain = env.SHOPIFY_STORE_DOMAIN
   const token = env.SHOPIFY_PRIVATE_STOREFRONT_TOKEN
-  const version = env.SHOPIFY_API_VERSION
 
-  if (!domain || !token) {
+  if (!token) {
     throw new ShopifyError(
-      'Shopify server client is not configured. Set SHOPIFY_STORE_DOMAIN and SHOPIFY_PRIVATE_STOREFRONT_TOKEN in .env.local.',
+      'Shopify server client is not configured. Set SHOPIFY_PRIVATE_STOREFRONT_TOKEN in the environment.',
     )
   }
 
@@ -53,7 +62,7 @@ export async function shopifyServerFetch<
   if (input.buyerIp) headers['Shopify-Storefront-Buyer-IP'] = input.buyerIp
 
   const response = await fetch(
-    `https://${domain}/api/${version}/graphql.json`,
+    `https://${SHOPIFY_STORE_DOMAIN}/api/${SHOPIFY_API_VERSION}/graphql.json`,
     {
       method: 'POST',
       headers,

src/utils/env.ts

@@ -15,14 +15,10 @@ const serverEnvSchema = v.object({
   RESEND_API_KEY: v.optional(v.string()),
   SENTRY_DSN: v.optional(v.string()),
   TANSTACK_MCP_ENABLED_TOOLS: v.optional(v.string()),
-  // Shopify Storefront API — server-only. Cart reads and mutations run
-  // through createServerFn (src/utils/shop.functions.ts), so the public
-  // token is never exposed to the browser. The private token is preferred
-  // for its higher rate limits; the public token is kept as an optional
-  // fallback for environments where a private token isn't provisioned.
-  SHOPIFY_STORE_DOMAIN: v.optional(v.string()),
-  SHOPIFY_API_VERSION: v.optional(v.string(), '2026-01'),
-  SHOPIFY_PUBLIC_STOREFRONT_TOKEN: v.optional(v.string()),
+  // Shopify Storefront API token — server-only. Cart reads and mutations
+  // run through createServerFn (src/utils/shop.functions.ts), so this
+  // token never reaches the browser. Store domain + API version are
+  // public-by-design and hard-coded in src/server/shopify/fetch.ts.
   SHOPIFY_PRIVATE_STOREFRONT_TOKEN: v.optional(v.string()),
 })