fix: unify env var configuration -- API_KEY/DEV_API_KEY mismatch, missing vars, stale references

Problems fixed:
1. API_KEY vs DEV_API_KEY: .env.example had API_KEY but backend reads
   DEV_API_KEY. docker-compose passed API_KEY which backend ignored.
   Now .env.example documents DEV_API_KEY with clear dev-only warning.
2. EMBEDDING_MODEL mismatch: .env.example said text-embedding-3-large
   but code defaults to text-embedding-3-small. Aligned to match code.
3. Missing vars: added DEV_API_KEY, DEBUG, LOG_LEVEL, REDIS_URL to
   .env.example. Self-hosters can now see every configurable option.
4. Dead env vars: removed SUPABASE_KEY and API_KEY from conftest
   (nobody reads them).
5. docker-compose: passes DEV_API_KEY + DEBUG + EMBEDDING_MODEL now.
6. startup_checks: added GITHUB_CLIENT_ID/SECRET and
   DISCORD_FEEDBACK_WEBHOOK to optional vars.

284 tests pass.

Closes OPE-72

Author: DevanshuNEU

.env.example

@@ -6,11 +6,10 @@
 OPENAI_API_KEY=sk-...
 
 # Embedding Model (Optional)
-# Options: text-embedding-3-small (faster, cheaper), text-embedding-3-large (better quality)
-# Default: text-embedding-3-large
-EMBEDDING_MODEL=text-embedding-3-large
+# Options: text-embedding-3-small (default, faster/cheaper), text-embedding-3-large (better quality)
+EMBEDDING_MODEL=text-embedding-3-small
 
-# Pinecone API (Required)  
+# Pinecone API (Required)
 # Get from: https://app.pinecone.io/
 PINECONE_API_KEY=pcsk_...
 PINECONE_INDEX_NAME=codeintel
@@ -19,13 +18,16 @@ PINECONE_INDEX_NAME=codeintel
 # Get from: https://app.supabase.com/project/_/settings/api
 SUPABASE_URL=https://your-project.supabase.co
 SUPABASE_ANON_KEY=eyJ...
-# From Project Settings -> API -> JWT Secret
 SUPABASE_JWT_SECRET=your-jwt-secret
-# From Project Settings -> API -> service_role key
 SUPABASE_SERVICE_ROLE_KEY=eyJ...
 
-# Backend API
-API_KEY=change-this-secret-key-for-production
+# Development API Key (Optional -- dev/test only, ignored in production)
+# Used to bypass JWT auth when DEBUG=true. Never set in production.
+DEV_API_KEY=
+DEBUG=false
+LOG_LEVEL=INFO
+
+# Backend API URL (used by MCP server and frontend)
 BACKEND_API_URL=http://backend:8000
 FRONTEND_URL=http://localhost:3000
 
@@ -37,31 +39,28 @@ GITHUB_REDIRECT_URI=http://localhost:3000/auth/github/callback
 
 # CORS Configuration (Security)
 # Comma-separated list of allowed origins
-# Development: http://localhost:3000
-# Production: https://your-app.vercel.app,https://your-domain.com
 ALLOWED_ORIGINS=http://localhost:3000
 
 # Redis (auto-configured in Docker, set REDIS_URL in Railway)
 REDIS_HOST=redis
 REDIS_PORT=6379
+REDIS_URL=
 
 # Sentry Error Tracking (Optional but recommended for production)
 # Get DSN from: https://sentry.io -> Settings -> Projects -> Client Keys
 SENTRY_DSN=
 SENTRY_SEND_PII=false
 SENTRY_INCLUDE_LOCAL_VARS=false
-ENVIRONMENT=development  # development, staging, production
+ENVIRONMENT=development
 
-# Discord Webhook (Optional - for feedback notifications)
+# Discord Webhook (Optional -- for feedback notifications)
 DISCORD_FEEDBACK_WEBHOOK=
 
-# Search V2 Configuration
-# Cohere API for reranking (Optional - improves search quality)
+# Cohere API for reranking (Optional -- improves search quality)
 # Get from: https://dashboard.cohere.com/api-keys
-# Free tier: 10K requests/month
 COHERE_API_KEY=
 SEARCH_V2_ENABLED=true
 
-# Voyage AI - code-specific embeddings (Optional - improves code search quality)
+# Voyage AI (Optional -- code-specific embeddings for better search)
 # Get from: https://dash.voyageai.com/
 VOYAGE_API_KEY=

backend/config/startup_checks.py

@@ -26,6 +26,9 @@
     ("SENTRY_SEND_PII", "Send user emails to Sentry", "PII disabled (privacy safe)"),
     ("SENTRY_INCLUDE_LOCAL_VARS", "Include local vars in Sentry traces", "Local vars excluded"),
     ("REDIS_HOST", "Redis host for caching", "Using default localhost"),
+    ("GITHUB_CLIENT_ID", "GitHub OAuth client ID", "GitHub repo import disabled"),
+    ("GITHUB_CLIENT_SECRET", "GitHub OAuth client secret", "GitHub repo import disabled"),
+    ("DISCORD_FEEDBACK_WEBHOOK", "Discord webhook for feedback", "Feedback notifications disabled"),
 ]
 
 

backend/tests/conftest.py

@@ -10,13 +10,11 @@
 
 # Set test environment BEFORE imports
 os.environ["DEBUG"] = "true"
-os.environ["DEV_API_KEY"] = "test-secret-key"  # New env var for dev key
-os.environ["API_KEY"] = "test-secret-key"  # Legacy support
+os.environ["DEV_API_KEY"] = "test-secret-key"
 os.environ["OPENAI_API_KEY"] = "sk-test-key"
 os.environ["PINECONE_API_KEY"] = "pcsk-test"
 os.environ["PINECONE_INDEX_NAME"] = "test-index"
 os.environ["SUPABASE_URL"] = "https://test.supabase.co"
-os.environ["SUPABASE_KEY"] = "test-key"
 os.environ["SUPABASE_ANON_KEY"] = "test-anon-key"
 os.environ["SUPABASE_JWT_SECRET"] = "test-jwt-secret"
 

docker-compose.yml

@@ -35,7 +35,9 @@ services:
       - SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
       - SUPABASE_JWT_SECRET=${SUPABASE_JWT_SECRET}
       - SUPABASE_SERVICE_ROLE_KEY=${SUPABASE_SERVICE_ROLE_KEY}
-      - API_KEY=${API_KEY}
+      - DEV_API_KEY=${DEV_API_KEY}
+      - DEBUG=${DEBUG:-false}
+      - EMBEDDING_MODEL=${EMBEDDING_MODEL:-text-embedding-3-small}
       - BACKEND_API_URL=http://backend:8000
       - DISCORD_FEEDBACK_WEBHOOK=${DISCORD_FEEDBACK_WEBHOOK}
       - COHERE_API_KEY=${COHERE_API_KEY}