chore: normalize env vars

[coodos]

Description of change

fix failing build and lint check

Issue Number

Type of change

• Fix (a change which fixes an issue)
• Chore (refactoring, build scripts or anything else that isn't user-facing)

How the change has been tested

Change checklist

• I have ensured that the CI Checks pass locally
• I have removed any unnecessary logic
• My code is well documented
• I have signed my commits
• My code follows the pattern of the application
• I have self reviewed my code

Summary by CodeRabbit

• Chores
  • Updated configuration environment variables for provisioner, notification trigger, and e-reputation endpoints.
  • Added Control Panel-related variables and a Visualizer API key; removed legacy Loki logging settings.
  • Reorganized environment variable sourcing to clearly separate public vs private configuration for deployment and runtime consistency.

[coderabbitai]

📝 Walkthrough

Walkthrough

Environment variables were reorganized: new public/private keys were added to example files and service code updated to import and use public env values (e.g., PUBLIC_PROVISIONER_URL, PUBLIC_EREPUTATION_BASE_URL) and adjusted fallback logic for provisioner/notification settings.

Changes

Cohort / File(s)	Summary
Environment examples infrastructure/control-panel/.env.example, .env.example	Added public control-panel and ereputation variables and notification/provisioner keys; introduced PUBLIC_PROVISIONER_URL, NOTIFICATION_TRIGGER_PORT, PUBLIC_EREPUTATION_BASE_URL, VISUALIZER_API_KEY, and reorganized control-panel related entries.
Service imports & logic infrastructure/control-panel/src/lib/services/notificationService.ts, infrastructure/control-panel/src/routes/api/references/+server.ts	Switched env imports to use public vs private static envs (e.g., PUBLIC_PROVISIONER_URL, PUBLIC_EREPUTATION_BASE_URL); removed fallback use of PROVISIONER_URL in device queries; VISUALIZER_API_KEY remains from private env.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I hopped through keys both public and shy,
Swapped a URL and gave old fallbacks a bye.
Tokens and triggers now know where to go,
A carrot of clarity — configurations flow. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: normalize env vars' is concise and directly related to the main change, which involves normalizing and adding environment variables across multiple config files.
Description check	✅ Passed	The description follows the template structure with all required sections present. However, the 'How the change has been tested' section is empty, and details about which specific env vars were normalized are minimal.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/fix-build-and-env-sample-vars

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

infrastructure/control-panel/src/lib/services/notificationService.ts (1)

53-53: Deduplicate provisioner URL resolution.

The same PUBLIC_PROVISIONER_URL || 'http://localhost:3001' logic appears at Line 53 and Line 70. Extracting a helper avoids drift.

Proposed refactor

+function getProvisionerUrl(): string {
+	return PUBLIC_PROVISIONER_URL || 'http://localhost:3001';
+}
+
 export async function getDevicesWithTokens(): Promise<{ token: string; eName: string }[]> {
-	const provisionerUrl = PUBLIC_PROVISIONER_URL || 'http://localhost:3001';
+	const provisionerUrl = getProvisionerUrl();
 	try {
 		const response = await fetch(`${provisionerUrl}/api/devices/list`, {
 			signal: AbortSignal.timeout(10000)
@@
 export async function getDevicesByEName(
 	eName: string
 ): Promise<{ token: string; eName: string }[]> {
-	const provisionerUrl = PUBLIC_PROVISIONER_URL || 'http://localhost:3001';
+	const provisionerUrl = getProvisionerUrl();
 	try {
 		const response = await fetch(
 			`${provisionerUrl}/api/devices/by-ename/${encodeURIComponent(eName)}`,

Also applies to: 70-70

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@infrastructure/control-panel/src/lib/services/notificationService.ts` at line
53, Create a single helper to resolve the provisioner URL and replace the
duplicated inline expression; specifically, add a utility function (e.g.,
getProvisionerUrl or resolveProvisionerUrl) that returns PUBLIC_PROVISIONER_URL
|| 'http://localhost:3001' and use that helper wherever the code currently
assigns provisionerUrl (the duplicated const provisionerUrl =
PUBLIC_PROVISIONER_URL || 'http://localhost:3001'). Ensure the helper is
colocated or imported appropriately so both call sites use the same
implementation to avoid future drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@infrastructure/control-panel/.env.example`:
- Around line 14-15: Swap the dotenv entries so the port key appears before the
URL: move NOTIFICATION_TRIGGER_PORT to precede NOTIFICATION_TRIGGER_URL (ensure
the variables NOTIFICATION_TRIGGER_PORT and NOTIFICATION_TRIGGER_URL are ordered
as expected by dotenv-linter).

In `@infrastructure/control-panel/src/routes/api/references/`+server.ts:
- Line 7: The current initialization of baseUrl in +server.ts uses a localhost
fallback which can mask misconfiguration; change the code that defines baseUrl
(the symbol baseUrl) to fail fast by removing the 'http://localhost:8765'
fallback and instead throw an explicit error when PUBLIC_EREPUTATION_BASE_URL is
not set (e.g., if (!PUBLIC_EREPUTATION_BASE_URL) throw new Error("Missing
PUBLIC_EREPUTATION_BASE_URL"); baseUrl = PUBLIC_EREPUTATION_BASE_URL), so the
application fails startup in staging/production instead of silently using
localhost.

---

Nitpick comments:
In `@infrastructure/control-panel/src/lib/services/notificationService.ts`:
- Line 53: Create a single helper to resolve the provisioner URL and replace the
duplicated inline expression; specifically, add a utility function (e.g.,
getProvisionerUrl or resolveProvisionerUrl) that returns PUBLIC_PROVISIONER_URL
|| 'http://localhost:3001' and use that helper wherever the code currently
assigns provisionerUrl (the duplicated const provisionerUrl =
PUBLIC_PROVISIONER_URL || 'http://localhost:3001'). Ensure the helper is
colocated or imported appropriately so both call sites use the same
implementation to avoid future drift.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 252ef3a0-4b94-41f6-8077-b65f90b1e4ac

📥 Commits

Reviewing files that changed from the base of the PR and between 91d3c9f and bfaa8aa.

📒 Files selected for processing (3)

• infrastructure/control-panel/.env.example
• infrastructure/control-panel/src/lib/services/notificationService.ts
• infrastructure/control-panel/src/routes/api/references/+server.ts

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.env.example (2)

102-102: PUBLIC_EREPUTATION_BASE_URL addition looks appropriate for service consolidation.

The addition of PUBLIC_EREPUTATION_BASE_URL alongside VITE_EREPUTATION_BASE_URL appears intentional to support both Vite-based and SvelteKit-based services, as evidenced by the control-panel now importing from $env/static/public.

Optional: Address key ordering for consistency.

The dotenv-linter suggests placing PUBLIC_EREPUTATION_BASE_URL before VITE_EREPUTATION_BASE_URL for alphabetical consistency, though this is purely stylistic.

📝 Optional ordering adjustment

-VITE_EREPUTATION_BASE_URL=http://localhost:8765
 PUBLIC_EREPUTATION_BASE_URL=http://localhost:8765
+VITE_EREPUTATION_BASE_URL=http://localhost:8765

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.example at line 102, Add PUBLIC_EREPUTATION_BASE_URL to the .env
example is fine; to satisfy the dotenv-linter stylistic suggestion, reorder the
keys so PUBLIC_EREPUTATION_BASE_URL appears before VITE_EREPUTATION_BASE_URL for
alphabetical consistency (search for PUBLIC_EREPUTATION_BASE_URL and
VITE_EREPUTATION_BASE_URL in the file and swap their positions).

---

114-115: Optional: Address key ordering for consistency.

The dotenv-linter suggests reordering keys for alphabetical consistency:

• CONTROL_PANEL_JWT_SECRET should come before PUBLIC_CONTROL_PANEL_URL
• CONTROL_PANEL_ADMIN_ENAMES_FILE should come before CONTROL_PANEL_JWT_SECRET

📝 Optional ordering adjustment

 # Control Panel
-PUBLIC_CONTROL_PANEL_URL=http://localhost:5173
+CONTROL_PANEL_ADMIN_ENAMES_FILE=config/admin-enames.json
 CONTROL_PANEL_JWT_SECRET=replace-with-a-strong-secret
-CONTROL_PANEL_ADMIN_ENAMES_FILE=config/admin-enames.json
+PUBLIC_CONTROL_PANEL_URL=http://localhost:5173
 VISUALIZER_API_KEY=

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.example around lines 114 - 115, Reorder the environment keys in
.env.example for alphabetical consistency as suggested by dotenv-linter: move
CONTROL_PANEL_ADMIN_ENAMES_FILE to appear before CONTROL_PANEL_JWT_SECRET, and
ensure CONTROL_PANEL_JWT_SECRET appears before PUBLIC_CONTROL_PANEL_URL so the
sequence is ...CONTROL_PANEL_ADMIN_ENAMES_FILE, CONTROL_PANEL_JWT_SECRET,
PUBLIC_CONTROL_PANEL_URL.... This is purely ordering—no value or key changes
required.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.env.example:
- Around line 112-116: Remove CONTROL_PANEL_JWT_SECRET and
CONTROL_PANEL_ADMIN_ENAMES_FILE from the root .env.example and re-add them only
to the control-panel's local .env.example to avoid duplication; keep
VISUALIZER_API_KEY at the root since it is referenced by multiple services (see
control-panel auth token logic in
infrastructure/control-panel/src/lib/server/auth/token.ts and allowlist logic in
infrastructure/control-panel/src/lib/server/auth/allowlist.ts, and the
ereputation ReferenceController.ts) so update the root and control-panel example
files accordingly.

---

Nitpick comments:
In @.env.example:
- Line 102: Add PUBLIC_EREPUTATION_BASE_URL to the .env example is fine; to
satisfy the dotenv-linter stylistic suggestion, reorder the keys so
PUBLIC_EREPUTATION_BASE_URL appears before VITE_EREPUTATION_BASE_URL for
alphabetical consistency (search for PUBLIC_EREPUTATION_BASE_URL and
VITE_EREPUTATION_BASE_URL in the file and swap their positions).
- Around line 114-115: Reorder the environment keys in .env.example for
alphabetical consistency as suggested by dotenv-linter: move
CONTROL_PANEL_ADMIN_ENAMES_FILE to appear before CONTROL_PANEL_JWT_SECRET, and
ensure CONTROL_PANEL_JWT_SECRET appears before PUBLIC_CONTROL_PANEL_URL so the
sequence is ...CONTROL_PANEL_ADMIN_ENAMES_FILE, CONTROL_PANEL_JWT_SECRET,
PUBLIC_CONTROL_PANEL_URL.... This is purely ordering—no value or key changes
required.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 26c263af-2611-42c1-9882-e9fdde1d87f8

📥 Commits

Reviewing files that changed from the base of the PR and between bfaa8aa and b0ba75f.

📒 Files selected for processing (1)

• .env.example

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check which services import Control Panel environment variables

echo "=== Searching for CONTROL_PANEL_JWT_SECRET usage ==="
rg -n 'CONTROL_PANEL_JWT_SECRET' --type=ts --type=js -C2

echo -e "\n=== Searching for CONTROL_PANEL_ADMIN_ENAMES_FILE usage ==="
rg -n 'CONTROL_PANEL_ADMIN_ENAMES_FILE' --type=ts --type=js -C2

echo -e "\n=== Searching for VISUALIZER_API_KEY usage ==="
rg -n 'VISUALIZER_API_KEY' --type=ts --type=js -C2

echo -e "\n=== Searching for PUBLIC_CONTROL_PANEL_URL usage ==="
rg -n 'PUBLIC_CONTROL_PANEL_URL' --type=ts --type=js -C2

Repository: MetaState-Prototype-Project/prototype

Length of output: 6113

---

Reconsider which Control Panel variables belong at the root level.

Lines 112-116 add several configuration variables that partially duplicate infrastructure/control-panel/.env.example. The placement of these variables should be reviewed:

• CONTROL_PANEL_JWT_SECRET: Used only within control-panel's auth logic (infrastructure/control-panel/src/lib/server/auth/token.ts). No other services reference it. Consider keeping this local to control-panel.
• CONTROL_PANEL_ADMIN_ENAMES_FILE: Used only within control-panel's allowlist logic (infrastructure/control-panel/src/lib/server/auth/allowlist.ts). No other services reference it. Consider keeping this local to control-panel.
• VISUALIZER_API_KEY: Used by both the ereputation service (platforms/ereputation/api/src/controllers/ReferenceController.ts) and control-panel. Justifies root-level placement for cross-service coordination.

The duplication of control-panel-only variables creates maintenance overhead. Move CONTROL_PANEL_JWT_SECRET and CONTROL_PANEL_ADMIN_ENAMES_FILE back to the control-panel-local .env.example, keeping only VISUALIZER_API_KEY at the root level.

🧰 Tools

🪛 dotenv-linter (4.0.0)

[warning] 114-114: [UnorderedKey] The CONTROL_PANEL_JWT_SECRET key should go before the PUBLIC_CONTROL_PANEL_URL key

(UnorderedKey)

---

[warning] 115-115: [UnorderedKey] The CONTROL_PANEL_ADMIN_ENAMES_FILE key should go before the CONTROL_PANEL_JWT_SECRET key

(UnorderedKey)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.example around lines 112 - 116, Remove CONTROL_PANEL_JWT_SECRET and
CONTROL_PANEL_ADMIN_ENAMES_FILE from the root .env.example and re-add them only
to the control-panel's local .env.example to avoid duplication; keep
VISUALIZER_API_KEY at the root since it is referenced by multiple services (see
control-panel auth token logic in
infrastructure/control-panel/src/lib/server/auth/token.ts and allowlist logic in
infrastructure/control-panel/src/lib/server/auth/allowlist.ts, and the
ereputation ReferenceController.ts) so update the root and control-panel example
files accordingly.

[coodos]

No this is planned otherwise it just leads to bad dx, I mean at the env vars are injected in prod anyways so who cares

[coderabbitai]

@coodos, understood — keeping all variables consolidated in the root .env.example is an intentional choice for developer experience, since it gives contributors a single place to configure everything locally without hunting across sub-project directories. And with production vars being injected externally anyway, the duplication concern is moot. Thanks for the context!

---

✏️ Learnings added

Learnt from: coodos
Repo: MetaState-Prototype-Project/prototype PR: 920
File: .env.example:112-116
Timestamp: 2026-03-15T19:21:53.065Z
Learning: In MetaState-Prototype-Project/prototype, consolidating all environment variables (including service-specific ones like CONTROL_PANEL_JWT_SECRET and CONTROL_PANEL_ADMIN_ENAMES_FILE) in the root .env.example is intentional for developer experience. Contributors should have a single place to configure everything locally. In production, variables are injected directly, so root-level duplication of service-specific vars is acceptable and by design.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: coodos
Repo: MetaState-Prototype-Project/prototype PR: 415
File: infrastructure/eid-wallet/src/env.d.ts:8-8
Timestamp: 2025-11-13T10:34:52.527Z
Learning: In infrastructure/eid-wallet, PUBLIC_PLATFORM_URL should not be added to .env.example or configured as a static environment variable. The platform URL is extracted dynamically through URI parsing according to the protocol specification, and all fallbacks for platform URL are being removed.

---

Learnt from: coodos
Repo: MetaState-Prototype-Project/prototype PR: 458
File: platforms/eReputation-api/src/services/ReferenceSigningSessionService.ts:60-60
Timestamp: 2025-11-21T15:49:12.904Z
Learning: In platforms/eReputation-api/src/services/ReferenceSigningSessionService.ts, the VITE_EREPUTATION_BASE_URL environment variable intentionally has no fallback value. The service should fail if this environment variable is not set, following a fail-fast design pattern.