refactor: simplify CODEBUFF_API_KEY protection with ciOnlyEnvVars

- Remove CODEBUFF_API_KEY from typed serverEnvSchema entirely
- Add ciOnlyEnvVars array for CI injection only
- Remove webEnv/webEnvSchema (no longer needed)
- Revert web files from webEnv back to env
- env.CODEBUFF_API_KEY is now a TypeScript error everywhere
- Keep ESLint rule for process.env.CODEBUFF_API_KEY in web

Author: brandonkachen

packages/internal/src/env-schema.ts

@@ -2,10 +2,6 @@ import { clientEnvSchema, clientProcessEnv } from '@codebuff/common/env-schema'
 import z from 'zod/v4'
 
 export const serverEnvSchema = clientEnvSchema.extend({
-  // Codebuff API key - used by CLI/SDK for authentication
-  // NOTE: Web should NOT use this directly - users must provide their own key
-  // See web/.eslintrc.cjs for enforcement
-  CODEBUFF_API_KEY: z.string().optional(),
   // LLM API keys
   OPEN_ROUTER_API_KEY: z.string().min(1),
   OPENAI_API_KEY: z.string().min(1),
@@ -36,17 +32,15 @@ export type ServerInput = {
 }
 export type ServerEnv = z.infer<typeof serverEnvSchema>
 
-// Web-specific schema that omits CODEBUFF_API_KEY
-// Web should never use this key - users must provide their own via Authorization header
-export const webEnvSchema = serverEnvSchema.omit({ CODEBUFF_API_KEY: true })
-export type WebEnv = z.infer<typeof webEnvSchema>
+// CI-only env vars that are NOT in the typed schema
+// These are injected for SDK tests but should never be accessed via env.* in code
+export const ciOnlyEnvVars = ['CODEBUFF_API_KEY'] as const
+export type CiOnlyEnvVar = (typeof ciOnlyEnvVars)[number]
 
 // Bun will inject all these values, so we need to reference them individually (no for-loops)
 export const serverProcessEnv: ServerInput = {
   ...clientProcessEnv,
 
-  // Codebuff API key
-  CODEBUFF_API_KEY: process.env.CODEBUFF_API_KEY,
   // LLM API keys
   OPEN_ROUTER_API_KEY: process.env.OPEN_ROUTER_API_KEY,
   OPENAI_API_KEY: process.env.OPENAI_API_KEY,

packages/internal/src/env.ts

@@ -1,4 +1,4 @@
-import { serverEnvSchema, serverProcessEnv, webEnvSchema } from './env-schema'
+import { serverEnvSchema, serverProcessEnv } from './env-schema'
 
 // Provide safe defaults for local/test runs to avoid schema failures
 const ensureEnvDefault = (key: string, value: string) => {
@@ -29,9 +29,4 @@ if (process.env.NEXT_PUBLIC_CB_ENVIRONMENT !== 'prod') {
   console.log('Using environment:', process.env.NEXT_PUBLIC_CB_ENVIRONMENT)
 }
 
-// Full env for SDK/CLI - includes CODEBUFF_API_KEY
 export const env = serverEnvSchema.parse(serverProcessEnv)
-
-// Web-specific env - CODEBUFF_API_KEY does NOT exist on this type
-// Use this in web package to get type-level protection against using CODEBUFF_API_KEY
-export const webEnv = webEnvSchema.parse(serverProcessEnv)

scripts/generate-ci-env.ts

@@ -8,7 +8,7 @@ import path from 'path'
 import { fileURLToPath } from 'url'
 
 import { CLIENT_ENV_PREFIX, clientEnvVars } from '@codebuff/common/env-schema'
-import { serverEnvVars } from '@codebuff/internal/env-schema'
+import { ciOnlyEnvVars, serverEnvVars } from '@codebuff/internal/env-schema'
 
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
@@ -49,8 +49,10 @@ function parseArgs() {
 
 function generateGitHubEnv() {
   const { prefix, scope } = parseArgs()
+  // CI needs both serverEnvVars (typed schema) and ciOnlyEnvVars (for SDK tests)
+  const allVars = [...serverEnvVars, ...ciOnlyEnvVars]
   const varsByScope = {
-    all: serverEnvVars,
+    all: allVars,
     client: clientEnvVars,
   }
 

web/.eslintrc.cjs

@@ -22,27 +22,14 @@ module.exports = {
     '@typescript-eslint/no-explicit-any': 'off',
     '@typescript-eslint/no-unused-vars': 'off',
     'react/no-unescaped-entities': 'off',
-    // Prevent using CODEBUFF_API_KEY in web - users must provide their own API key
+    // Prevent using process.env.CODEBUFF_API_KEY in web - users must provide their own API key
     // This prevents accidentally using Codebuff's credits for user operations
+    // Note: env.CODEBUFF_API_KEY is already a TypeScript error (not in schema)
     'no-restricted-syntax': [
       'error',
       {
-        selector: "MemberExpression[property.name='CODEBUFF_API_KEY']",
-        message: 'CODEBUFF_API_KEY is not allowed in web package. Users must provide their own API key via Authorization header.',
-      },
-    ],
-    // Enforce using webEnv instead of env in web package
-    // webEnv omits CODEBUFF_API_KEY for type-level protection
-    'no-restricted-imports': [
-      'error',
-      {
-        paths: [
-          {
-            name: '@codebuff/internal/env',
-            importNames: ['env'],
-            message: "Use 'webEnv' instead of 'env' in web package. webEnv omits CODEBUFF_API_KEY for security.",
-          },
-        ],
+        selector: "MemberExpression[object.object.name='process'][object.property.name='env'][property.name='CODEBUFF_API_KEY']",
+        message: 'process.env.CODEBUFF_API_KEY is not allowed in web package. Users must provide their own API key via Authorization header.',
       },
     ],
   },

web/scripts/discord/register-commands.ts

@@ -1,4 +1,4 @@
-import { webEnv } from '@codebuff/internal/env'
+import { env } from '@codebuff/internal/env'
 import { REST, Routes, SlashCommandBuilder } from 'discord.js'
 
 import { logger } from '@/util/logger'
@@ -15,13 +15,13 @@ const commands = [
     ),
 ]
 
-const rest = new REST().setToken(webEnv.DISCORD_BOT_TOKEN)
+const rest = new REST().setToken(env.DISCORD_BOT_TOKEN)
 
 async function main() {
   try {
     logger.info('Started refreshing application (/) commands.')
 
-    await rest.put(Routes.applicationCommands(webEnv.DISCORD_APPLICATION_ID), {
+    await rest.put(Routes.applicationCommands(env.DISCORD_APPLICATION_ID), {
       body: commands,
     })
 

web/src/app/api/auth/[...nextauth]/auth-options.ts

@@ -8,7 +8,7 @@ import { generateCompactId } from '@codebuff/common/util/string'
 import { loops } from '@codebuff/internal'
 import db from '@codebuff/internal/db'
 import * as schema from '@codebuff/internal/db/schema'
-import { webEnv } from '@codebuff/internal/env'
+import { env } from '@codebuff/internal/env'
 import { stripeServer } from '@codebuff/internal/util/stripe'
 import { logSyncFailure } from '@codebuff/internal/util/sync-failure'
 import { eq } from 'drizzle-orm'
@@ -46,14 +46,14 @@ async function createAndLinkStripeCustomer(params: {
     // Create subscription with the usage price
     await stripeServer.subscriptions.create({
       customer: customer.id,
-      items: [{ price: webEnv.STRIPE_USAGE_PRICE_ID }],
+      items: [{ price: env.STRIPE_USAGE_PRICE_ID }],
     })
 
     await db
       .update(schema.user)
       .set({
         stripe_customer_id: customer.id,
-        stripe_price_id: webEnv.STRIPE_USAGE_PRICE_ID,
+        stripe_price_id: env.STRIPE_USAGE_PRICE_ID,
       })
       .where(eq(schema.user.id, userId))
 
@@ -137,8 +137,8 @@ export const authOptions: NextAuthOptions = {
   }) as Adapter,
   providers: [
     GitHubProvider({
-      clientId: webEnv.CODEBUFF_GITHUB_ID,
-      clientSecret: webEnv.CODEBUFF_GITHUB_SECRET,
+      clientId: env.CODEBUFF_GITHUB_ID,
+      clientSecret: env.CODEBUFF_GITHUB_SECRET,
     }),
   ],
   session: {

web/src/app/api/auth/cli/code/route.ts

@@ -1,7 +1,7 @@
 import { genAuthCode } from '@codebuff/common/util/credentials'
 import db from '@codebuff/internal/db'
 import * as schema from '@codebuff/internal/db/schema'
-import { webEnv } from '@codebuff/internal/env'
+import { env } from '@codebuff/internal/env'
 import { and, eq, gt } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { z } from 'zod/v4'
@@ -25,7 +25,7 @@ export async function POST(req: Request) {
     const fingerprintHash = genAuthCode(
       fingerprintId,
       expiresAt.toString(),
-      webEnv.NEXTAUTH_SECRET,
+      env.NEXTAUTH_SECRET,
     )
 
     // Check if this fingerprint has any active sessions
@@ -56,7 +56,7 @@ export async function POST(req: Request) {
     }
 
     // Generate login URL without modifying the fingerprint record
-    const loginUrl = `${webEnv.NEXT_PUBLIC_CODEBUFF_APP_URL}/login?auth_code=${fingerprintId}.${expiresAt}.${fingerprintHash}${
+    const loginUrl = `${env.NEXT_PUBLIC_CODEBUFF_APP_URL}/login?auth_code=${fingerprintId}.${expiresAt}.${fingerprintHash}${
       referralCode ? `&referral_code=${referralCode}` : ''
     }`
 

web/src/app/api/auth/cli/status/route.ts

@@ -1,7 +1,7 @@
 import { genAuthCode } from '@codebuff/common/util/credentials'
 import db from '@codebuff/internal/db'
 import * as schema from '@codebuff/internal/db/schema'
-import { webEnv } from '@codebuff/internal/env'
+import { env } from '@codebuff/internal/env'
 import { and, eq, gt, or, isNull } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { z } from 'zod/v4'
@@ -45,7 +45,7 @@ export async function GET(req: Request) {
   const expectedHash = genAuthCode(
     fingerprintId,
     expiresAt.toString(),
-    webEnv.NEXTAUTH_SECRET,
+    env.NEXTAUTH_SECRET,
   )
   if (fingerprintHash !== expectedHash) {
     logger.info(

web/src/app/api/orgs/[orgId]/billing/setup/route.ts

@@ -1,7 +1,7 @@
 import { pluralize } from '@codebuff/common/util/string'
 import db from '@codebuff/internal/db'
 import * as schema from '@codebuff/internal/db/schema'
-import { webEnv } from '@codebuff/internal/env'
+import { env } from '@codebuff/internal/env'
 import { stripeServer } from '@codebuff/internal/util/stripe'
 import { eq, and, sql } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
@@ -190,13 +190,13 @@ export async function POST(req: NextRequest, { params }: RouteParams) {
       mode: 'subscription',
       line_items: [
         {
-          price: webEnv.STRIPE_TEAM_FEE_PRICE_ID,
+          price: env.STRIPE_TEAM_FEE_PRICE_ID,
           quantity: seatCount,
         },
       ],
       allow_promotion_codes: true,
-      success_url: `${webEnv.NEXT_PUBLIC_CODEBUFF_APP_URL}/orgs/${organization.slug}/billing/purchase?subscription_success=true`,
-      cancel_url: `${webEnv.NEXT_PUBLIC_CODEBUFF_APP_URL}/orgs/${organization.slug}?subscription_canceled=true`,
+      success_url: `${env.NEXT_PUBLIC_CODEBUFF_APP_URL}/orgs/${organization.slug}/billing/purchase?subscription_success=true`,
+      cancel_url: `${env.NEXT_PUBLIC_CODEBUFF_APP_URL}/orgs/${organization.slug}?subscription_canceled=true`,
       metadata: {
         organization_id: orgId,
         type: 'subscription_setup',

web/src/app/api/orgs/[orgId]/billing/status/route.ts

@@ -1,6 +1,6 @@
 import db from '@codebuff/internal/db'
 import * as schema from '@codebuff/internal/db/schema'
-import { webEnv } from '@codebuff/internal/env'
+import { env } from '@codebuff/internal/env'
 import { stripeServer } from '@codebuff/internal/util/stripe'
 import { eq, and, sql } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
@@ -76,7 +76,7 @@ export async function GET(req: NextRequest, { params }: RouteParams) {
         // Create billing portal session
         const portalSession = await stripeServer.billingPortal.sessions.create({
           customer: organization.stripe_customer_id,
-          return_url: `${webEnv.NEXT_PUBLIC_CODEBUFF_APP_URL}/orgs/${organization.slug}/settings`,
+          return_url: `${env.NEXT_PUBLIC_CODEBUFF_APP_URL}/orgs/${organization.slug}/settings`,
         })
         billingPortalUrl = portalSession.url