fix(reviews): remove redundant comment in ProductDetailReviewsPanel component

Gitea Actions does not evaluate fromJson() in matrix strategy — matrix.app
was always empty, breaking turbo prune. Replaced with two explicit jobs
(build-storefront, build-admin) each with a plain if: condition.

The deploy job uses always() + !contains(needs.*.result, 'failure') so it
runs when either build succeeded and skips when a build was cancelled/failed.
Parallelism is preserved — both apps still build simultaneously when both change.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -3,7 +3,7 @@ name: CI
 on:
   push:
     branches:
-      - "**"
+      - feat #"**" # TODO: change to "**" after testing
 
 jobs:
   ci:

.gitea/workflows/deploy-staging.yml

@@ -0,0 +1,258 @@
+name: Deploy — Staging
+
+on:
+  push:
+    branches:
+      - staging
+
+# Gitea Actions has no environment-level secrets (unlike GitHub Actions).
+# Staging and production secrets live at repo level, distinguished by prefix.
+# Production workflow uses the same names with PROD_ prefix.
+#
+# Required secrets (repo → Settings → Secrets and Variables → Actions):
+#   STAGING_REGISTRY                                    — host:port/owner
+#   STAGING_REGISTRY_USER                               — Gitea username
+#   STAGING_REGISTRY_TOKEN                              — Gitea PAT (package:write)
+#   STAGING_SSH_HOST                                    — host.containers.internal
+#   STAGING_SSH_USER                                    — SSH user on the VPS
+#   STAGING_SSH_KEY                                     — SSH private key (full PEM)
+#   STAGING_SSH_PORT                                    — (optional) defaults to 22
+#   STAGING_NEXT_PUBLIC_CONVEX_URL
+#   STAGING_STOREFRONT_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
+#   STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
+#   STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME
+#   STAGING_NEXT_PUBLIC_CLOUDINARY_API_KEY
+#   STAGING_NEXT_PUBLIC_IMAGE_PROCESSING_API_URL
+#   STAGING_NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
+#   STAGING_STOREFRONT_CLERK_SECRET_KEY
+#   STAGING_ADMIN_CLERK_SECRET_KEY
+#   STAGING_CLOUDINARY_API_SECRET
+
+jobs:
+  # ── 0. Detect changes ────────────────────────────────────────────────────────
+  # Determines which apps need to be rebuilt on this push.
+  # Shared paths (packages/, convex/, root config) mark both apps as changed.
+
+  changes:
+    name: Detect changed apps
+    runs-on: ubuntu-latest
+    outputs:
+      storefront: ${{ steps.detect.outputs.storefront }}
+      admin: ${{ steps.detect.outputs.admin }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Determine affected apps
+        id: detect
+        run: |
+          BASE=$(git rev-parse HEAD~1 2>/dev/null || git hash-object -t tree /dev/null)
+          CHANGED=$(git diff --name-only "$BASE" HEAD)
+
+          STOREFRONT=false
+          ADMIN=false
+
+          # Shared paths affect both apps
+          if echo "$CHANGED" | grep -qE '^(package\.json|package-lock\.json|turbo\.json|packages/|convex/)'; then
+            STOREFRONT=true
+            ADMIN=true
+          fi
+
+          echo "$CHANGED" | grep -q '^apps/storefront/' && STOREFRONT=true || true
+          echo "$CHANGED" | grep -q '^apps/admin/'      && ADMIN=true      || true
+
+          echo "storefront=${STOREFRONT}" >> "$GITHUB_OUTPUT"
+          echo "admin=${ADMIN}"           >> "$GITHUB_OUTPUT"
+
+  # ── 1. CI ───────────────────────────────────────────────────────────────────
+
+  ci:
+    name: Lint, Typecheck & Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - run: npm ci
+      - run: npm run lint
+      - run: npm run type-check
+      - run: npm run test:once
+
+  # ── 2a. Build storefront ─────────────────────────────────────────────────────
+
+  build-storefront:
+    name: Build & push — storefront
+    needs: [ci, changes]
+    if: needs.changes.outputs.storefront == 'true'
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - run: npm ci
+
+      - name: Prune workspace
+        run: |
+          npx turbo prune storefront --docker
+          cp -r convex out/full/convex
+          cp package-lock.json out/package-lock.json
+
+      - name: Authenticate with registry
+        run: |
+          mkdir -p ~/.docker
+          AUTH=$(echo -n "${{ secrets.STAGING_REGISTRY_USER }}:${{ secrets.STAGING_REGISTRY_TOKEN }}" | base64 -w 0)
+          REGISTRY_HOST=$(echo "${{ secrets.STAGING_REGISTRY }}" | cut -d'/' -f1)
+          echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json
+
+      - name: Build & push
+        env:
+          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.STAGING_STOREFRONT_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+          NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }}
+          NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY }}
+        run: |
+          SHORT_SHA="${GITHUB_SHA::7}"
+          IMAGE="${{ secrets.STAGING_REGISTRY }}/storefront"
+          docker build \
+            -f apps/storefront/Dockerfile \
+            --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY" \
+            --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
+            --build-arg NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY="$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY" \
+            --load -t "${IMAGE}:staging" ./out
+          docker tag "${IMAGE}:staging" "${IMAGE}:sha-${SHORT_SHA}"
+          docker push "${IMAGE}:staging"
+          docker push "${IMAGE}:sha-${SHORT_SHA}"
+
+  # ── 2b. Build admin ──────────────────────────────────────────────────────────
+
+  build-admin:
+    name: Build & push — admin
+    needs: [ci, changes]
+    if: needs.changes.outputs.admin == 'true'
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - run: npm ci
+
+      - name: Prune workspace
+        run: |
+          npx turbo prune admin --docker
+          cp -r convex out/full/convex
+          cp package-lock.json out/package-lock.json
+
+      - name: Authenticate with registry
+        run: |
+          mkdir -p ~/.docker
+          AUTH=$(echo -n "${{ secrets.STAGING_REGISTRY_USER }}:${{ secrets.STAGING_REGISTRY_TOKEN }}" | base64 -w 0)
+          REGISTRY_HOST=$(echo "${{ secrets.STAGING_REGISTRY }}" | cut -d'/' -f1)
+          echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json
+
+      - name: Build & push
+        env:
+          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+          NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }}
+          NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME }}
+          NEXT_PUBLIC_CLOUDINARY_API_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_API_KEY }}
+          NEXT_PUBLIC_IMAGE_PROCESSING_API_URL: ${{ secrets.STAGING_NEXT_PUBLIC_IMAGE_PROCESSING_API_URL }}
+        run: |
+          SHORT_SHA="${GITHUB_SHA::7}"
+          IMAGE="${{ secrets.STAGING_REGISTRY }}/admin"
+          docker build \
+            -f apps/admin/Dockerfile \
+            --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY" \
+            --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
+            --build-arg NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME="$NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME" \
+            --build-arg NEXT_PUBLIC_CLOUDINARY_API_KEY="$NEXT_PUBLIC_CLOUDINARY_API_KEY" \
+            --build-arg NEXT_PUBLIC_IMAGE_PROCESSING_API_URL="$NEXT_PUBLIC_IMAGE_PROCESSING_API_URL" \
+            --load -t "${IMAGE}:staging" ./out
+          docker tag "${IMAGE}:staging" "${IMAGE}:sha-${SHORT_SHA}"
+          docker push "${IMAGE}:staging"
+          docker push "${IMAGE}:sha-${SHORT_SHA}"
+
+  # ── 3. Deploy ────────────────────────────────────────────────────────────────
+  # Runs when at least one app changed and no build failed.
+  # `always()` is required so the job isn't auto-skipped when one build job
+  # was skipped (Gitea/GitHub skip downstream jobs of skipped jobs by default).
+
+  deploy:
+    name: Deploy to staging VPS
+    needs: [build-storefront, build-admin, changes]
+    if: |
+      always() &&
+      (needs.changes.outputs.storefront == 'true' || needs.changes.outputs.admin == 'true') &&
+      !contains(needs.*.result, 'failure') &&
+      !contains(needs.*.result, 'cancelled')
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Write SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.STAGING_SSH_KEY }}" > ~/.ssh/staging
+          chmod 600 ~/.ssh/staging
+
+      - name: Pull & restart containers on VPS
+        env:
+          REGISTRY: ${{ secrets.STAGING_REGISTRY }}
+          REGISTRY_USER: ${{ secrets.STAGING_REGISTRY_USER }}
+          REGISTRY_TOKEN: ${{ secrets.STAGING_REGISTRY_TOKEN }}
+          SSH_HOST: ${{ secrets.STAGING_SSH_HOST }}
+          SSH_USER: ${{ secrets.STAGING_SSH_USER }}
+          SSH_PORT: ${{ secrets.STAGING_SSH_PORT }}
+          CLERK_SECRET_KEY: ${{ secrets.STAGING_STOREFRONT_CLERK_SECRET_KEY }}
+          ADMIN_CLERK_SECRET_KEY: ${{ secrets.STAGING_ADMIN_CLERK_SECRET_KEY }}
+          CLOUDINARY_API_SECRET: ${{ secrets.STAGING_CLOUDINARY_API_SECRET }}
+          STOREFRONT_CHANGED: ${{ needs.changes.outputs.storefront }}
+          ADMIN_CHANGED: ${{ needs.changes.outputs.admin }}
+        run: |
+          REGISTRY_HOST=$(echo "$REGISTRY" | cut -d'/' -f1)
+          COMPOSE_B64=$(sed "s|\${REGISTRY}|${REGISTRY}|g" deploy/staging/compose.yml | base64 -w 0)
+
+          ssh -i ~/.ssh/staging \
+              -p "${SSH_PORT:-22}" \
+              -o StrictHostKeyChecking=accept-new \
+              "${SSH_USER}@${SSH_HOST}" bash -s << EOF
+          set -euo pipefail
+
+          echo "${REGISTRY_TOKEN}" \
+            | podman login "${REGISTRY_HOST}" \
+                -u "${REGISTRY_USER}" --password-stdin --tls-verify=false
+
+          [ "${STOREFRONT_CHANGED}" = "true" ] && podman pull --tls-verify=false "${REGISTRY}/storefront:staging"
+          [ "${ADMIN_CHANGED}"      = "true" ] && podman pull --tls-verify=false "${REGISTRY}/admin:staging"
+
+          mkdir -p /opt/staging
+          echo "${COMPOSE_B64}" | base64 -d > /opt/staging/compose.yml
+
+          printf 'CLERK_SECRET_KEY=%s\nADMIN_CLERK_SECRET_KEY=%s\nCLOUDINARY_API_SECRET=%s\n' \
+            "${CLERK_SECRET_KEY}" "${ADMIN_CLERK_SECRET_KEY}" "${CLOUDINARY_API_SECRET}" \
+            > /opt/staging/.env
+          chmod 600 /opt/staging/.env
+
+          SERVICES=""
+          [ "${STOREFRONT_CHANGED}" = "true" ] && SERVICES="\${SERVICES} storefront"
+          [ "${ADMIN_CHANGED}"      = "true" ] && SERVICES="\${SERVICES} admin"
+
+          cd /opt/staging
+          podman compose up -d --force-recreate --remove-orphans \${SERVICES}
+
+          podman image prune -f
+          EOF

apps/admin/Dockerfile

@@ -0,0 +1,68 @@
+# Build context: ./out  (turbo prune admin --docker)
+# out/json/  — package.json files only   → used by deps stage for layer caching
+# out/full/  — full pruned monorepo       → used by builder stage for source
+# out/package-lock.json
+
+# ── Stage 1: deps ────────────────────────────────────────────────────────────
+FROM node:20-alpine AS deps
+
+RUN apk add --no-cache libc6-compat
+WORKDIR /app
+
+# Upgrade npm to match the project's packageManager (npm@11). The package-lock.json
+# was generated with npm 11 — npm 10 (bundled with node:20) can't fully parse it,
+# causing turbo prune to generate an incomplete pruned lockfile and npm ci to miss
+# packages.
+RUN npm install -g npm@11 --quiet
+
+COPY json/ .
+COPY package-lock.json .
+RUN npm ci
+
+# ── Stage 2: builder ─────────────────────────────────────────────────────────
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+COPY --from=deps /app/node_modules ./node_modules
+COPY full/ .
+
+# NEXT_PUBLIC_* vars are baked into the client bundle at build time by Next.js.
+# They must be present here (not just at runtime) or SSG/prerender fails.
+# Passed via --build-arg in CI. Note: Gitea secrets use a STAGING_/PROD_ prefix
+# which is stripped by the workflow before being forwarded here as build args.
+ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
+ARG NEXT_PUBLIC_CONVEX_URL
+ARG NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME
+ARG NEXT_PUBLIC_CLOUDINARY_API_KEY
+ARG NEXT_PUBLIC_IMAGE_PROCESSING_API_URL
+ENV NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \
+    NEXT_PUBLIC_CONVEX_URL=$NEXT_PUBLIC_CONVEX_URL \
+    NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME=$NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME \
+    NEXT_PUBLIC_CLOUDINARY_API_KEY=$NEXT_PUBLIC_CLOUDINARY_API_KEY \
+    NEXT_PUBLIC_IMAGE_PROCESSING_API_URL=$NEXT_PUBLIC_IMAGE_PROCESSING_API_URL \
+    NEXT_TELEMETRY_DISABLED=1
+
+RUN npx turbo build --filter=admin
+
+# ── Stage 3: runner ──────────────────────────────────────────────────────────
+FROM node:20-alpine AS runner
+
+WORKDIR /app
+
+ENV NODE_ENV=production \
+    NEXT_TELEMETRY_DISABLED=1 \
+    HOSTNAME=0.0.0.0 \
+    PORT=3001
+
+RUN addgroup -g 1001 -S nodejs && adduser -S nextjs -u 1001
+
+COPY --from=builder --chown=nextjs:nodejs /app/apps/admin/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/apps/admin/.next/static ./apps/admin/.next/static
+COPY --from=builder --chown=nextjs:nodejs /app/apps/admin/public ./apps/admin/public
+
+USER nextjs
+
+EXPOSE 3001
+
+CMD ["node", "apps/admin/server.js"]

apps/admin/next.config.js

@@ -3,6 +3,8 @@ const path = require("path");
 
 /** @type {import('next').NextConfig} */
 const nextConfig = {
+  output: "standalone",
+  outputFileTracingRoot: path.join(__dirname, "../.."),
   transpilePackages: ["@repo/convex", "@repo/types", "@repo/utils"],
   turbopack: {
     root: path.join(__dirname, "..", ".."),

apps/admin/package.json

@@ -29,7 +29,7 @@
     "radix-ui": "^1.4.3",
     "react-hook-form": "^7.71.2",
     "sonner": "^2.0.7",
-    "tailwind-merge": "^2.6.1",
+    "tailwind-merge": "^3.4.0",
     "zod": "^3.25.76"
   },
   "devDependencies": {

apps/storefront/Dockerfile

@@ -0,0 +1,81 @@
+# Build context: ./out  (turbo prune storefront --docker)
+# out/json/  — package.json files only   → used by deps stage for layer caching
+# out/full/  — full pruned monorepo       → used by builder stage for source
+# out/package-lock.json
+
+# ── Stage 1: deps ────────────────────────────────────────────────────────────
+# Install ALL dependencies (dev + prod) using only the package.json tree.
+# This layer is shared with the builder stage and only rebuilds when
+# a package.json or the lock file changes — not when source code changes.
+FROM node:20-alpine AS deps
+
+RUN apk add --no-cache libc6-compat
+WORKDIR /app
+
+# Upgrade npm to match the project's packageManager (npm@11). The package-lock.json
+# was generated with npm 11 — npm 10 (bundled with node:20) can't fully parse it,
+# causing turbo prune to generate an incomplete pruned lockfile and npm ci to miss
+# packages like @heroui/react.
+RUN npm install -g npm@11 --quiet
+
+COPY json/ .
+COPY package-lock.json .
+RUN npm ci
+
+# ── Stage 2: builder ─────────────────────────────────────────────────────────
+# Full monorepo source + build artifact.
+# next build produces .next/standalone/ because output: "standalone" is set
+# in next.config.js — that's what makes the runner stage small.
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+# Copy everything from the deps stage — not just /app/node_modules.
+# @heroui/react cannot be hoisted to the root by npm and is installed at
+# apps/storefront/node_modules/ instead. Copying only the root node_modules
+# would leave it missing. Copying all of /app/ brings both root and
+# workspace-level node_modules, then full/ layers the source on top.
+COPY --from=deps /app/ ./
+COPY full/ .
+
+# NEXT_PUBLIC_* vars are baked into the client bundle at build time by Next.js.
+# They must be present here (not just at runtime) or SSG/prerender fails.
+# Passed via --build-arg in CI. Note: Gitea secrets use a STAGING_/PROD_ prefix
+# which is stripped by the workflow before being forwarded here as build args.
+ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
+ARG NEXT_PUBLIC_CONVEX_URL
+ARG NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
+ENV NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \
+    NEXT_PUBLIC_CONVEX_URL=$NEXT_PUBLIC_CONVEX_URL \
+    NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY \
+    NEXT_TELEMETRY_DISABLED=1
+
+RUN npx turbo build --filter=storefront
+
+# ── Stage 3: runner ──────────────────────────────────────────────────────────
+# Minimal runtime image — only the standalone bundle, static assets, and public dir.
+# No source code, no dev dependencies, no build tools.
+FROM node:20-alpine AS runner
+
+WORKDIR /app
+
+ENV NODE_ENV=production \
+    NEXT_TELEMETRY_DISABLED=1 \
+    HOSTNAME=0.0.0.0 \
+    PORT=3000
+
+# Non-root user for security
+RUN addgroup -g 1001 -S nodejs && adduser -S nextjs -u 1001
+
+# outputFileTracingRoot is set to the repo root, so the standalone directory mirrors
+# the full monorepo tree. server.js lands at apps/storefront/server.js inside
+# standalone/, not at the root. Static files and public/ must be copied separately.
+COPY --from=builder --chown=nextjs:nodejs /app/apps/storefront/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/apps/storefront/.next/static ./apps/storefront/.next/static
+COPY --from=builder --chown=nextjs:nodejs /app/apps/storefront/public ./apps/storefront/public
+
+USER nextjs
+
+EXPOSE 3000
+
+CMD ["node", "apps/storefront/server.js"]

apps/storefront/next.config.js

@@ -3,6 +3,10 @@ const path = require("path");
 
 /** @type {import('next').NextConfig} */
 const nextConfig = {
+  output: "standalone",
+  // Required in a monorepo: tells Next.js to trace files from the repo root
+  // so the standalone bundle includes files from packages/
+  outputFileTracingRoot: path.join(__dirname, "../.."),
   transpilePackages: ["@repo/convex", "@repo/types", "@repo/utils"],
   turbopack: {
     root: path.join(__dirname, "..", ".."),

apps/storefront/package.json

@@ -18,6 +18,8 @@
     "@repo/utils": "*",
     "@stripe/react-stripe-js": "^5.6.0",
     "@stripe/stripe-js": "^8.8.0",
-    "framer-motion": "^11.0.0"
+    "framer-motion": "^11.0.0",
+    "lucide-react": "^0.400.0",
+    "react-markdown": "^10.1.0"
   }
 }

apps/storefront/src/components/product-detail/reviews/ProductDetailReviewsPanel.tsx

@@ -27,7 +27,7 @@ export function ProductDetailReviewsPanel({ productId, initialRating, initialRev
         productId: productId as Id<"products">,
         sortBy,
         limit: offset + LIMIT,
-        offset: 0, // In this pattern, we increase limit to fetch more pages without resetting offset, so previously fetched array grows
+        offset: 0,
     });
 
     if (result === undefined) return <ProductDetailReviewsSkeleton />;

apps/storefront/src/components/product-detail/sections/ProductDetailDescriptionSection.tsx

@@ -1,11 +1,16 @@
+import ReactMarkdown from "react-markdown";
+
 type ProductDetailDescriptionSectionProps = {
-  /** Product description (HTML or plain text); server-rendered in initial HTML per SEO. */
+  /** Product description (Markdown); server-rendered in initial HTML per SEO. */
   description?: string | null;
 };
 
+const descriptionClasses =
+  "max-w-3xl text-sm leading-relaxed text-[var(--foreground)]/80 [&_ol]:mb-3 [&_ol]:list-inside [&_ol]:list-decimal [&_p:last-child]:mb-0 [&_p]:mb-3 [&_ul]:mb-3 [&_ul]:list-inside [&_ul]:list-disc";
+
 /**
  * Description content for the PDP tabs section.
- * Renders inside a parent <section> provided by ProductDetailTabsSection.
+ * Renders Markdown as HTML inside a parent <section> provided by ProductDetailTabsSection.
  * If empty, shows a short fallback message.
  */
 export function ProductDetailDescriptionSection({
@@ -15,10 +20,9 @@ export function ProductDetailDescriptionSection({
     typeof description === "string" && description.trim().length > 0;
 
   return hasContent ? (
-    <div
-      className="max-w-3xl text-sm leading-relaxed text-[var(--foreground)]/80 [&_ol]:mb-3 [&_ol]:list-inside [&_ol]:list-decimal [&_p:last-child]:mb-0 [&_p]:mb-3 [&_ul]:mb-3 [&_ul]:list-inside [&_ul]:list-disc"
-      dangerouslySetInnerHTML={{ __html: description!.trim() }}
-    />
+    <div className={descriptionClasses}>
+      <ReactMarkdown>{description!.trim()}</ReactMarkdown>
+    </div>
   ) : (
     <p className="text-sm text-[var(--muted)]">No description available.</p>
   );

deploy/staging/.env.example

@@ -0,0 +1,15 @@
+# Runtime secrets for staging containers.
+# Copy this file to /opt/staging/.env on the VPS and fill in the values.
+# NEXT_PUBLIC_* vars are already baked into the Docker images at build time —
+# only server-side secrets that Next.js reads at runtime go here.
+
+# Storefront — Clerk server-side key
+CLERK_SECRET_KEY=
+
+# Admin — Clerk server-side key (different Clerk instance)
+# Add a second .env or use per-service env_file if keys differ per container.
+# For now a single .env is shared; storefront ignores keys it doesn't use.
+
+# Stripe (used by storefront checkout server actions if any)
+STRIPE_SECRET_KEY=
+STRIPE_WEBHOOK_SECRET=

deploy/staging/compose.yml

@@ -0,0 +1,25 @@
+name: petloft-staging
+
+services:
+  storefront:
+    image: ${REGISTRY}/storefront:staging
+    restart: unless-stopped
+    ports:
+      - "3001:3000"
+    env_file:
+      - path: .env
+        required: false
+    environment:
+      - CLERK_SECRET_KEY
+
+  admin:
+    image: ${REGISTRY}/admin:staging
+    restart: unless-stopped
+    ports:
+      - "3002:3001"
+    env_file:
+      - path: .env
+        required: false
+    environment:
+      - CLERK_SECRET_KEY=${ADMIN_CLERK_SECRET_KEY}
+      - CLOUDINARY_API_SECRET

package.json

@@ -30,6 +30,7 @@
     "react-dom": "^19.2.4",
     "stripe": "^20.4.0",
     "svix": "^1.86.0",
+    "tailwind-merge": "^3.4.0",
     "tailwindcss": "^4.2.0"
   },
   "devDependencies": {