Rename STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY to STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY

[BilalG1]

Summary

• Renames the env var STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY to STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY everywhere it is used (24 occurrences across 9 files), covering backend env files, the Prisma seed script, runtime config, and the docker entrypoint/local-emulator scripts.

Test plan

• pnpm lint
• pnpm typecheck
• Verify local emulator still boots with the renamed variable
• Verify any deploy/CI configs that set the old name are updated alongside this change

Summary by CodeRabbit

• Chores
  • Updated internal environment variable naming for consistency across backend configuration files and deployment scripts.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	May 5, 2026 5:19pm
stack-backend	Ready	Preview, Comment	May 5, 2026 5:19pm
stack-dashboard	Ready	Preview, Comment	May 5, 2026 5:19pm
stack-demo	Ready	Preview, Comment	May 5, 2026 5:19pm
stack-docs	Ready	Preview, Comment	May 5, 2026 5:19pm
stack-preview-backend	Ready	Preview, Comment	May 5, 2026 5:19pm
stack-preview-dashboard	Ready	Preview, Comment	May 5, 2026 5:19pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR renames the environment variable STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY to STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY across environment configuration, Docker infrastructure scripts, and application code that reads and uses this key.

Changes

Environment Variable Rename: STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY → STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY

Layer / File(s)	Summary
Configuration Definition apps/backend/.env, apps/backend/.env.development	Environment variable definitions and development defaults are updated to use the new non-seed-prefixed name STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY.
Docker Infrastructure: Generation & Comments docker/local-emulator/generate-env-development.mjs	Inline comment referencing the variable in the .env.development generation script is updated to reflect the new variable name.
Docker Infrastructure: Cloud-Init & Emulation docker/local-emulator/qemu/cloud-init/emulator/user-data	The variable name is updated in three places: render-stack-env emits it to /run/stack-auth/local-emulator.env; slim-image smoke test injects it into container environment; and trigger-fast-rotate passes it to the secrets rotation script via docker exec.
Docker Infrastructure: QEMU Orchestration docker/local-emulator/qemu/run-emulator.sh	The qga_trigger_fast_rotate function payload now uses the new variable name when invoking the guest trigger-fast-rotate script.
Docker Infrastructure: Secrets Rotation docker/local-emulator/rotate-secrets.sh	Secrets rotation script updated in five places: validation, env output, JavaScript bundle rewriting, and Postgres ApiKeySet update all use the new variable name.
Docker Entrypoint Bootstrap docker/server/entrypoint.sh	Local-emulator mode environment validation, ApiKeySet row bootstrap, and NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY derivation all switched to read from the new variable name.
Application Code: Seeding apps/backend/prisma/seed.ts	Internal API key-set seeding now reads the publishable client key from the new variable name and updates corresponding error messaging.
Application Code: Server Initialization apps/backend/src/stack.tsx	getStackServerApp() now initializes the internal project's publishable client key from the new variable name.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A key by a kinder name we rename,
From "seed" to plain, they're quite the same,
Through docker scripts and app code bright,
Consistency flows left and right,
One variable, one refactoring sight!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: renaming a specific environment variable across the codebase.
Description check	✅ Passed	The description provides a summary of changes, lists the scope (24 occurrences across 9 files), and includes a test plan with progress tracking.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rename-seed-internal-pck-var

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

apps/backend/.env (1)

8-19: 💤 Low value

Consider moving STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY out of the "seed script settings" section.

This variable is no longer seed-only — apps/backend/src/stack.tsx now reads it at runtime in getStackServerApp(). Leaving it under the # seed script settings header next to keys that remain STACK_SEED_* may confuse operators about whether it's required only at seed time. Consider relocating it to its own section or adding a clarifying comment, e.g.:

📝 Proposed clarifying comment

 STACK_SEED_INTERNAL_PROJECT_USER_GITHUB_ID=# add github oauth id to the default user
+# Required at runtime by the backend (apps/backend/src/stack.tsx) and at seed time. Unlike the STACK_SEED_* keys, this is not seed-only.
 STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=# default publishable client key for the internal project
 STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=# default secret server key for the internal project
 STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=# default super secret admin key for the internal project

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/backend/.env` around lines 8 - 19, The env var
STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY is used at runtime by
getStackServerApp(), so move it out of the "seed script settings" block or add a
clarifying comment above the variable indicating it's required at runtime (not
just for seeding); update the .env grouping/header so
STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY is either in a new "runtime
settings" section or annotated with a note referencing getStackServerApp() to
avoid operator confusion.

apps/backend/src/stack.tsx (1)

20-21: ⚖️ Poor tradeoff

Naming inconsistency: secretServerKey still uses STACK_SEED_* prefix even though it's also read at runtime here.

getStackServerApp() is invoked at backend runtime (not just seed time), yet only the publishable client key was renamed. The secretServerKey on line 21 still pulls from STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY, which now misleadingly suggests it's seed-only. Consider renaming STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY → STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY in a follow-up so the naming convention is uniform across the keys this constructor consumes.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/backend/src/stack.tsx` around lines 20 - 21, The env key name is
inconsistent: secretServerKey is still reading
STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY even though getStackServerApp() is
used at runtime; update the call that sets secretServerKey to read
STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY instead of
STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY and rename the environment
variable everywhere else (docs, .env templates, seed scripts) to match; ensure
the change is applied where the object with publishableClientKey and
secretServerKey is constructed so both keys share the STACK_INTERNAL_PROJECT_*
naming convention.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/backend/.env`:
- Around line 8-19: The env var STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY is
used at runtime by getStackServerApp(), so move it out of the "seed script
settings" block or add a clarifying comment above the variable indicating it's
required at runtime (not just for seeding); update the .env grouping/header so
STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY is either in a new "runtime
settings" section or annotated with a note referencing getStackServerApp() to
avoid operator confusion.

In `@apps/backend/src/stack.tsx`:
- Around line 20-21: The env key name is inconsistent: secretServerKey is still
reading STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY even though
getStackServerApp() is used at runtime; update the call that sets
secretServerKey to read STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY instead of
STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY and rename the environment
variable everywhere else (docs, .env templates, seed scripts) to match; ensure
the change is applied where the object with publishableClientKey and
secretServerKey is constructed so both keys share the STACK_INTERNAL_PROJECT_*
naming convention.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 46e7f058-0a78-4395-a2e5-f8f2057efe47

📥 Commits

Reviewing files that changed from the base of the PR and between 7a54e82 and df8df65.

📒 Files selected for processing (9)

• apps/backend/.env
• apps/backend/.env.development
• apps/backend/prisma/seed.ts
• apps/backend/src/stack.tsx
• docker/local-emulator/generate-env-development.mjs
• docker/local-emulator/qemu/cloud-init/emulator/user-data
• docker/local-emulator/qemu/run-emulator.sh
• docker/local-emulator/rotate-secrets.sh
• docker/server/entrypoint.sh

[greptile-apps]

Greptile Summary

This PR completes a mechanical rename of STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY to STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY across all 9 affected files. No residual references to the old name remain anywhere in the repository, and all propagation paths (cloud-init, rotate-secrets, entrypoint, seed script, and runtime StackServerApp constructor) are consistently updated.

• Complete rename: All 24 occurrences across backend env files, seed script, runtime config, and Docker/QEMU scripts now use STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY; a codebase-wide search confirms zero stragglers.
• Breaking change for existing deployments: Any environment that previously injected STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY (e.g., Kubernetes secrets, CI env vars) must be updated — in emulator mode the container exits at startup, and in standard Docker mode a fresh random key is silently generated if the new name is absent. The PR test plan explicitly flags this but leaves verification unchecked.
• Naming inconsistency remains: STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY and STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY retain their SEED prefix, so the three internal-project variables now follow different naming conventions.

Confidence Score: 4/5

Safe to merge into dev assuming any external deployment configs (CI secrets, Kubernetes, cloud environments) that set the old variable name are updated before or alongside this change.

The rename is thorough and complete — no occurrences of the old name survive in the repo. The remaining concern is that any operator running the Docker image with the old variable name in their environment will either get a silent random-key substitution (standard mode) or a hard startup failure (emulator mode). Two test-plan items were left unchecked, including the one that covers external config verification.

docker/server/entrypoint.sh and docker/local-emulator/rotate-secrets.sh are the most operationally sensitive files — they are the runtime entry points that consume or validate the renamed variable and will fail visibly if callers haven't switched over.

Important Files Changed

Filename	Overview
apps/backend/.env	Comment-only env template renamed from STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY to STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY
apps/backend/.env.development	Development env variable renamed; value and other variables unchanged
apps/backend/prisma/seed.ts	Seed script updated to read STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY; error message text also updated to match new name
apps/backend/src/stack.tsx	Runtime getEnvVariable call renamed to STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY; SSK still uses the SEED-prefixed name
docker/local-emulator/generate-env-development.mjs	Comment-only update reflecting the renamed variable; no functional code change
docker/local-emulator/qemu/cloud-init/emulator/user-data	Two cloud-init shell snippets updated: the env-file printf and the smoke-test docker exec -e flag both use the new variable name
docker/local-emulator/qemu/run-emulator.sh	qga_trigger_fast_rotate payload generation updated to use STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY
docker/local-emulator/rotate-secrets.sh	All four occurrences renamed: validation loop, output env file, sed placeholder comparison, SQL UPDATE, and NEXT_PUBLIC mirror all consistently use the new name
docker/server/entrypoint.sh	All six occurrences updated: emulator-mode required-var check, export statements, NEXT_PUBLIC mirror, bootstrap condition, hex validation loop, and SQL INSERT all use the new name

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[VM boot / host] -->|generates openssl rand -hex 32| B[STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY]
    B --> C{Deployment mode?}
    C -->|Emulator mode| D[user-data cloud-init\nsets var in env-file]
    C -->|Emulator mode| E[run-emulator.sh\nqga_trigger_fast_rotate payload]
    C -->|Standard Docker| F[entrypoint.sh\nautofills with openssl rand -base64 32\nif not set]
    D --> G[entrypoint.sh\nvalidates & exports var]
    E --> H[rotate-secrets.sh\nvalidates hex, writes rotated-secrets.env,\npatches JS bundles, UPDATEs ApiKeySet]
    G --> I[seed.ts\nreads process.env.STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY\nupserts internal ApiKeySet]
    G --> J[stack.tsx\ngetEnvVariable to construct StackServerApp]
    F --> I
    F --> J

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
apps/backend/src/stack.tsx:20-21
The PCK is now read under `STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY` (no `SEED` prefix), while `secretServerKey` still reads from `STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY`. This creates a naming inconsistency within the same constructor call that may confuse operators configuring both variables. Consider renaming the SSK variable in a follow-up to align the convention, or add a comment here explaining why the prefix differs.

```suggestion
    publishableClientKey: getEnvVariable('STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY'),
    secretServerKey: getEnvVariable('STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY'), // TODO: rename to STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY for consistency
```

_{Reviews (1): Last reviewed commit: "rename STACK_SEED_INTERNAL_PROJECT_PUBLI..." | Re-trigger Greptile}