Problem
.env.example advertises provider configs (Google OAuth, Azure OpenAI, OpenAI, Phi-3, etc.) that aren't actually wired into the app. Meanwhile, not every env var actually required at runtime is necessarily listed. Two recent prod incidents have already involved schema/config drift (fix(db): Add Orders and certificate number migration, fix(build): Run prisma migrate deploy in vercel-build).
The branch security/auth-hardening just added two new env vars (ADMIN_GITHUB_LOGINS, ALLOW_ANY_GITHUB_USER) — good checkpoint to do a full audit.
Expected behavior
.env.example lists every env var the running app actually reads, grouped by subsystem, each annotated with:
- whether required or optional
- valid example values
- sensitivity (public vs secret)
- where it is consumed
Unused vars are removed.
Acceptance criteria
Suggested approach
grep -r "process.env\." src --include="*.ts" --include="*.tsx" | \
grep -oE "process\.env\.[A-Z_]+" | sort -u
Diff that list against .env.example. Reconcile.
Problem
.env.exampleadvertises provider configs (Google OAuth, Azure OpenAI, OpenAI, Phi-3, etc.) that aren't actually wired into the app. Meanwhile, not every env var actually required at runtime is necessarily listed. Two recent prod incidents have already involved schema/config drift (fix(db): Add Orders and certificate number migration,fix(build): Run prisma migrate deploy in vercel-build).The branch
security/auth-hardeningjust added two new env vars (ADMIN_GITHUB_LOGINS,ALLOW_ANY_GITHUB_USER) — good checkpoint to do a full audit.Expected behavior
.env.examplelists every env var the running app actually reads, grouped by subsystem, each annotated with:Unused vars are removed.
Acceptance criteria
process.env.usages, cross-reference against.env.example.zodschema againstprocess.env) that fails loudly if a required var is missing.Suggested approach
Diff that list against
.env.example. Reconcile.