From efcd6a4cfe87876a16e463467d035a22a3fab194 Mon Sep 17 00:00:00 2001
From: Devanshu Rajesh Chicholikar <chicholikar.d@northeastern.edu>
Date: Mon, 23 Feb 2026 20:23:32 -0500
Subject: [PATCH 1/2] fix: unify env var configuration -- API_KEY/DEV_API_KEY
 mismatch, missing vars, stale references

Problems fixed:
1. API_KEY vs DEV_API_KEY: .env.example had API_KEY but backend reads
   DEV_API_KEY. docker-compose passed API_KEY which backend ignored.
   Now .env.example documents DEV_API_KEY with clear dev-only warning.
2. EMBEDDING_MODEL mismatch: .env.example said text-embedding-3-large
   but code defaults to text-embedding-3-small. Aligned to match code.
3. Missing vars: added DEV_API_KEY, DEBUG, LOG_LEVEL, REDIS_URL to
   .env.example. Self-hosters can now see every configurable option.
4. Dead env vars: removed SUPABASE_KEY and API_KEY from conftest
   (nobody reads them).
5. docker-compose: passes DEV_API_KEY + DEBUG + EMBEDDING_MODEL now.
6. startup_checks: added GITHUB_CLIENT_ID/SECRET and
   DISCORD_FEEDBACK_WEBHOOK to optional vars.

284 tests pass.

Closes OPE-72
---
 .env.example                     | 31 +++++++++++++++----------------
 backend/config/startup_checks.py |  3 +++
 backend/tests/conftest.py        |  4 +---
 docker-compose.yml               |  4 +++-
 4 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/.env.example b/.env.example
index 1b9bb71..12193bc 100644
--- a/.env.example
+++ b/.env.example
@@ -6,11 +6,10 @@
 OPENAI_API_KEY=sk-...
 
 # Embedding Model (Optional)
-# Options: text-embedding-3-small (faster, cheaper), text-embedding-3-large (better quality)
-# Default: text-embedding-3-large
-EMBEDDING_MODEL=text-embedding-3-large
+# Options: text-embedding-3-small (default, faster/cheaper), text-embedding-3-large (better quality)
+EMBEDDING_MODEL=text-embedding-3-small
 
-# Pinecone API (Required)  
+# Pinecone API (Required)
 # Get from: https://app.pinecone.io/
 PINECONE_API_KEY=pcsk_...
 PINECONE_INDEX_NAME=codeintel
@@ -19,13 +18,16 @@ PINECONE_INDEX_NAME=codeintel
 # Get from: https://app.supabase.com/project/_/settings/api
 SUPABASE_URL=https://your-project.supabase.co
 SUPABASE_ANON_KEY=eyJ...
-# From Project Settings -> API -> JWT Secret
 SUPABASE_JWT_SECRET=your-jwt-secret
-# From Project Settings -> API -> service_role key
 SUPABASE_SERVICE_ROLE_KEY=eyJ...
 
-# Backend API
-API_KEY=change-this-secret-key-for-production
+# Development API Key (Optional -- dev/test only, ignored in production)
+# Used to bypass JWT auth when DEBUG=true. Never set in production.
+DEV_API_KEY=
+DEBUG=false
+LOG_LEVEL=INFO
+
+# Backend API URL (used by MCP server and frontend)
 BACKEND_API_URL=http://backend:8000
 FRONTEND_URL=http://localhost:3000
 
@@ -37,31 +39,28 @@ GITHUB_REDIRECT_URI=http://localhost:3000/auth/github/callback
 
 # CORS Configuration (Security)
 # Comma-separated list of allowed origins
-# Development: http://localhost:3000
-# Production: https://your-app.vercel.app,https://your-domain.com
 ALLOWED_ORIGINS=http://localhost:3000
 
 # Redis (auto-configured in Docker, set REDIS_URL in Railway)
 REDIS_HOST=redis
 REDIS_PORT=6379
+REDIS_URL=
 
 # Sentry Error Tracking (Optional but recommended for production)
 # Get DSN from: https://sentry.io -> Settings -> Projects -> Client Keys
 SENTRY_DSN=
 SENTRY_SEND_PII=false
 SENTRY_INCLUDE_LOCAL_VARS=false
-ENVIRONMENT=development  # development, staging, production
+ENVIRONMENT=development
 
-# Discord Webhook (Optional - for feedback notifications)
+# Discord Webhook (Optional -- for feedback notifications)
 DISCORD_FEEDBACK_WEBHOOK=
 
-# Search V2 Configuration
-# Cohere API for reranking (Optional - improves search quality)
+# Cohere API for reranking (Optional -- improves search quality)
 # Get from: https://dashboard.cohere.com/api-keys
-# Free tier: 10K requests/month
 COHERE_API_KEY=
 SEARCH_V2_ENABLED=true
 
-# Voyage AI - code-specific embeddings (Optional - improves code search quality)
+# Voyage AI (Optional -- code-specific embeddings for better search)
 # Get from: https://dash.voyageai.com/
 VOYAGE_API_KEY=
diff --git a/backend/config/startup_checks.py b/backend/config/startup_checks.py
index 9b3cd43..6616784 100644
--- a/backend/config/startup_checks.py
+++ b/backend/config/startup_checks.py
@@ -26,6 +26,9 @@
     ("SENTRY_SEND_PII", "Send user emails to Sentry", "PII disabled (privacy safe)"),
     ("SENTRY_INCLUDE_LOCAL_VARS", "Include local vars in Sentry traces", "Local vars excluded"),
     ("REDIS_HOST", "Redis host for caching", "Using default localhost"),
+    ("GITHUB_CLIENT_ID", "GitHub OAuth client ID", "GitHub repo import disabled"),
+    ("GITHUB_CLIENT_SECRET", "GitHub OAuth client secret", "GitHub repo import disabled"),
+    ("DISCORD_FEEDBACK_WEBHOOK", "Discord webhook for feedback", "Feedback notifications disabled"),
 ]
 
 
diff --git a/backend/tests/conftest.py b/backend/tests/conftest.py
index 84ca3f2..0678428 100644
--- a/backend/tests/conftest.py
+++ b/backend/tests/conftest.py
@@ -10,13 +10,11 @@
 
 # Set test environment BEFORE imports
 os.environ["DEBUG"] = "true"
-os.environ["DEV_API_KEY"] = "test-secret-key"  # New env var for dev key
-os.environ["API_KEY"] = "test-secret-key"  # Legacy support
+os.environ["DEV_API_KEY"] = "test-secret-key"
 os.environ["OPENAI_API_KEY"] = "sk-test-key"
 os.environ["PINECONE_API_KEY"] = "pcsk-test"
 os.environ["PINECONE_INDEX_NAME"] = "test-index"
 os.environ["SUPABASE_URL"] = "https://test.supabase.co"
-os.environ["SUPABASE_KEY"] = "test-key"
 os.environ["SUPABASE_ANON_KEY"] = "test-anon-key"
 os.environ["SUPABASE_JWT_SECRET"] = "test-jwt-secret"
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 911866f..bf7a17e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -35,7 +35,9 @@ services:
       - SUPABASE_ANON_KEY=${SUPABASE_ANON_KEY}
       - SUPABASE_JWT_SECRET=${SUPABASE_JWT_SECRET}
       - SUPABASE_SERVICE_ROLE_KEY=${SUPABASE_SERVICE_ROLE_KEY}
-      - API_KEY=${API_KEY}
+      - DEV_API_KEY=${DEV_API_KEY}
+      - DEBUG=${DEBUG:-false}
+      - EMBEDDING_MODEL=${EMBEDDING_MODEL:-text-embedding-3-small}
       - BACKEND_API_URL=http://backend:8000
       - DISCORD_FEEDBACK_WEBHOOK=${DISCORD_FEEDBACK_WEBHOOK}
       - COHERE_API_KEY=${COHERE_API_KEY}

From 9a2a031611c9a5806d5715e0c56e8be37cd3d764 Mon Sep 17 00:00:00 2001
From: Devanshu Rajesh Chicholikar <chicholikar.d@northeastern.edu>
Date: Mon, 23 Feb 2026 20:35:44 -0500
Subject: [PATCH 2/2] fix: review findings -- add GitHub OAuth + LOG_LEVEL to
 docker-compose, remove stale API_KEY

1. docker-compose: added GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET,
   GITHUB_REDIRECT_URI, LOG_LEVEL. GitHub OAuth was broken in Docker.
2. docker-compose: removed stale API_KEY= from commented
   MCP block (we renamed to DEV_API_KEY but missed this comment).

284 tests pass.
---
 docker-compose.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index bf7a17e..c163102 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -38,6 +38,10 @@ services:
       - DEV_API_KEY=${DEV_API_KEY}
       - DEBUG=${DEBUG:-false}
       - EMBEDDING_MODEL=${EMBEDDING_MODEL:-text-embedding-3-small}
+      - LOG_LEVEL=${LOG_LEVEL:-INFO}
+      - GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID}
+      - GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}
+      - GITHUB_REDIRECT_URI=${GITHUB_REDIRECT_URI}
       - BACKEND_API_URL=http://backend:8000
       - DISCORD_FEEDBACK_WEBHOOK=${DISCORD_FEEDBACK_WEBHOOK}
       - COHERE_API_KEY=${COHERE_API_KEY}
@@ -98,7 +102,6 @@ services:
   #     - "8001:8001"
   #   environment:
   #     - BACKEND_API_URL=http://backend:8000
-  #     - API_KEY=${API_KEY}
   #   depends_on:
   #     - backend
   #   networks: