feat: enforce CODEBUFF_API_KEY restriction at type level

- Remove CODEBUFF_API_KEY from serverEnvSchema (web cannot access it)
- Add ESLint rule to catch direct process.env.CODEBUFF_API_KEY access in web
- CLI/SDK can still use process.env.CODEBUFF_API_KEY directly
- Prevents accidental credit abuse where web uses Codebuff API key

Author: brandonkachen

packages/internal/src/env-schema.ts

@@ -2,8 +2,7 @@ import { clientEnvSchema, clientProcessEnv } from '@codebuff/common/env-schema'
 import z from 'zod/v4'
 
 export const serverEnvSchema = clientEnvSchema.extend({
-  // Backend variables
-  CODEBUFF_API_KEY: z.string().optional(),
+  // LLM API keys
   OPEN_ROUTER_API_KEY: z.string().min(1),
   OPENAI_API_KEY: z.string().min(1),
   LINKUP_API_KEY: z.string().min(1),
@@ -37,8 +36,7 @@ export type ServerEnv = z.infer<typeof serverEnvSchema>
 export const serverProcessEnv: ServerInput = {
   ...clientProcessEnv,
 
-  // Backend variables
-  CODEBUFF_API_KEY: process.env.CODEBUFF_API_KEY,
+  // LLM API keys
   OPEN_ROUTER_API_KEY: process.env.OPEN_ROUTER_API_KEY,
   OPENAI_API_KEY: process.env.OPENAI_API_KEY,
   LINKUP_API_KEY: process.env.LINKUP_API_KEY,

web/.eslintrc.cjs

@@ -22,6 +22,15 @@ module.exports = {
     '@typescript-eslint/no-explicit-any': 'off',
     '@typescript-eslint/no-unused-vars': 'off',
     'react/no-unescaped-entities': 'off',
+    // Prevent using CODEBUFF_API_KEY in web - users must provide their own API key
+    // This prevents accidentally using Codebuff's credits for user operations
+    'no-restricted-syntax': [
+      'error',
+      {
+        selector: "MemberExpression[property.name='CODEBUFF_API_KEY']",
+        message: 'CODEBUFF_API_KEY is not allowed in web package. Users must provide their own API key via Authorization header.',
+      },
+    ],
   },
   settings: {
     tailwindcss: {