ci: remove dummy Clerk key; tighten AuthProvider guard

.github/workflows/ci.yml

@@ -50,7 +50,4 @@ jobs:
         env:
           # Keep CI builds deterministic and secretless.
           NEXT_TELEMETRY_DISABLED: "1"
-          # Clerk is required at Next build/prerender time in this repo.
-          # Use a dummy publishable key so forks/PRs can still validate.
-          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: "pk_test_00000000000000000000000000000000"
         run: make check

frontend/src/components/providers/AuthProvider.tsx

@@ -8,7 +8,15 @@ function isLikelyValidClerkPublishableKey(key: string | undefined): key is strin
   // Clerk publishable keys look like: pk_test_... or pk_live_...
   // In CI we want builds to stay secretless; if the key isn't present/valid,
   // we skip Clerk entirely so `next build` can prerender.
-  return /^pk_(test|live)_[A-Za-z0-9]+$/.test(key);
+  //
+  // Note: Clerk appears to validate key *contents*, not just shape. We therefore
+  // use a conservative heuristic to avoid treating obvious placeholders as valid.
+  const m = /^pk_(test|live)_([A-Za-z0-9]+)$/.exec(key);
+  if (!m) return false;
+  const body = m[2];
+  if (body.length < 16) return false;
+  if (/^0+$/.test(body)) return false;
+  return true;
 }
 
 export function AuthProvider({ children }: { children: ReactNode }) {