Skip to content

Audit .env.example vs .env — document every required env var #1063

Description

@jeromehardaway

Problem

.env.example advertises provider configs (Google OAuth, Azure OpenAI, OpenAI, Phi-3, etc.) that aren't actually wired into the app. Meanwhile, not every env var actually required at runtime is necessarily listed. Two recent prod incidents have already involved schema/config drift (fix(db): Add Orders and certificate number migration, fix(build): Run prisma migrate deploy in vercel-build).

The branch security/auth-hardening just added two new env vars (ADMIN_GITHUB_LOGINS, ALLOW_ANY_GITHUB_USER) — good checkpoint to do a full audit.

Expected behavior

.env.example lists every env var the running app actually reads, grouped by subsystem, each annotated with:

  • whether required or optional
  • valid example values
  • sensitivity (public vs secret)
  • where it is consumed

Unused vars are removed.

Acceptance criteria

  • Grep the codebase for process.env. usages, cross-reference against .env.example.
  • Remove advertised-but-unused variables (e.g., if Google OAuth/Azure/OpenAI/Phi-3 aren't actually wired, drop them — or open separate issues to implement them).
  • Add any missing variables.
  • Document required vs optional clearly.
  • (Optional) Add a runtime validator at boot (zod schema against process.env) that fails loudly if a required var is missing.

Suggested approach

grep -r "process.env\." src --include="*.ts" --include="*.tsx" | \
  grep -oE "process\.env\.[A-Z_]+" | sort -u

Diff that list against .env.example. Reconcile.

Metadata

Metadata

Assignees

No one assigned

    Labels

    cleanupCode cleanup and maintenancedocumentationDocumentation improvements

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions