fix(og): derive og:image origin from incoming request, not env vars

On Netlify deploy previews, og:image was rendering as
`https://tanstack.com/api/og/<lib>.png` — pointing at production rather
than the preview origin — making the new takumi binary fix impossible
to validate from the preview HTML.

The previous attempt read `process.env.DEPLOY_PRIME_URL` etc. inside the
SSR function, but those variables turn out to be unreliable (or absent)
in our bundled function context, so the chain fell through to `URL`,
which is the production hostname even on a deploy preview.

Use `getRequest()` from `@tanstack/react-start/server` instead — the
incoming Request URL is the source of truth for which origin served
this page, and it always matches the deploy that's about to fetch the
og:image. Verified locally that og:image now renders as
`http://localhost:3000/api/og/<lib>.png`.

- vite.config.ts: allow `src/utils/og.ts` to import
  `@tanstack/react-start/server`. Uses are gated by `import.meta.env.SSR`
  so the import is tree-shaken from the client bundle; allowlisting
  just lets the static import through the protection check.
- og.ts: prefer `new URL(getRequest().url).origin` for the SSR origin,
  with the env-var chain kept as a fallback for non-request contexts.

Author: AlemTuzlak

src/utils/og.ts

@@ -1,3 +1,4 @@
+import { getRequest } from '@tanstack/react-start/server'
 import type { LibraryId } from '~/libraries'
 import { canonicalUrl } from './seo'
 import {
@@ -20,11 +21,21 @@ type OgImageOptions = {
  * og:image URLs MUST be reachable on the same deploy that emitted them
  * — social-card validators fetch the URL from the meta tag verbatim.
  *
- * On Netlify preview/branch deploys, `URL` is still the production URL,
- * but `DEPLOY_PRIME_URL` is the deploy's own origin. Prefer that.
+ * The incoming request URL is the source of truth: on a Netlify deploy
+ * preview the request hits `deploy-preview-N--tanstack.netlify.app`, so
+ * the og:image must point there too. `process.env.DEPLOY_PRIME_URL` and
+ * friends turn out to be unreliable inside the bundled SSR function, so
+ * we read the origin from the live request instead.
  */
 function getOgOrigin(): string {
   if (!import.meta.env.SSR) return DEFAULT_SITE_URL
+  try {
+    const request = getRequest()
+    if (request?.url) return new URL(request.url).origin
+  } catch {
+    // getRequest() throws if called outside an SSR request context
+    // (e.g. build-time prerender). Fall through to the env-var fallback.
+  }
   const env = process.env
   const origin =
     env.DEPLOY_PRIME_URL || env.DEPLOY_URL || env.URL || env.SITE_URL

vite.config.ts

@@ -226,7 +226,12 @@ export default defineConfig({
       importProtection: {
         behavior: 'error',
         client: {
-          files: ['**/*.server.*', '**/server/**'],
+          // src/utils/og.ts imports getRequest from @tanstack/react-start/server
+          // to derive the og:image origin from the live request — uses are
+          // gated by `import.meta.env.SSR`, so Vite tree-shakes the import out
+          // of the client bundle. Allowlist the file so the static import
+          // doesn't trip the protection check during bundling.
+          files: ['**/*.server.*', '**/server/**', '**/utils/og.ts'],
           specifiers: [
             '@tanstack/react-start/server',
             'uploadthing/server',