ci(e2e): report captcha drift in staging instance validation

[jacekradko]

The staging-instance validator has been ignoring captcha_enabled and captcha_widget_type as "expected to differ", which is exactly how the Turnstile drift that kept the staging generic leg red for a week stayed invisible (legal-consent sign-ups blocked on an unsolvable headless captcha, see run 27344100979). Bot protection changes e2e behavior, so it belongs in the comparison.

The script is report-only on main, so this only surfaces drift. A live run currently flags ~11 staging instances with captcha on while their prod counterparts have it off; 5 others have it on in both environments and correctly report as matched.

Summary by CodeRabbit

Release Notes

• Tests

  • Added test coverage for environment validation logic.

• Chores

  • Updated environment validation configuration to adjust which settings are compared between staging and production deployments.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 11, 2026 4:35pm
swingset	Ready	Preview, Comment	Jun 11, 2026 4:35pm

[changeset-bot]

🦋 Changeset detected

Latest commit: a3bf419

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 0310b799-cb9c-4876-a123-bc50ca2ec066

📥 Commits

Reviewing files that changed from the base of the PR and between d0ed42f and a3bf419.

📒 Files selected for processing (3)

• .changeset/heavy-pugs-warn.md
• scripts/validate-staging-instances.mjs
• scripts/validate-staging-instances.test.mjs

---

📝 Walkthrough

Walkthrough

The PR updates staging-vs-production environment validation by replacing captcha-related path filters with HIBP-related filters in IGNORED_PATHS, exports the isIgnored function for direct testing, and adds a test suite verifying the updated filtering logic and existing ignored patterns.

Changes

Staging Validation Updates

Layer / File(s)	Summary
Ignored paths and API exports scripts/validate-staging-instances.mjs, .changeset/heavy-pugs-warn.md	IGNORED_PATHS configuration removes /.captcha_enabled$/ and /.captcha_widget_type$/ patterns and adds /.enforce_hibp_on_sign_in$/ and /.disable_hibp$/ instead. The isIgnored function is added to named exports to enable direct testing.
isIgnored function tests scripts/validate-staging-instances.test.mjs	New test suite verifies that captcha-related settings are not ignored, while ID, logo_url, and HIBP-related keys remain in the ignored set.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Paths to ignore, now rewritten clean,
Captcha departs, HIBP takes the scene,
Tests confirm what gets filtered away,
Staging snapshots match prod today!
Exported and proven, the validation's bright,
Configuration dances with tests held tight. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: updating the staging instance validator to report (stop ignoring) captcha-related drift.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8832

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8832

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8832

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8832

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8832

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8832

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8832

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8832

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8832

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8832

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8832

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8832

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8832

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8832

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8832

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8832

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8832

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8832

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8832

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8832

commit: a3bf419

[jacekradko]

Superseded by #8757 (merged as 09054eb), which carried this change in full so the two could land in either order. Everything here (captcha ignore-removal, isIgnored export, tests) is already on main.