fix: Remove NEXT_AUTH references

[edulelis]

Summary by CodeRabbit

• Documentation

  • Renamed authentication references to Better Auth and updated setup/README environment instructions.

• Chores

  • Standardized auth environment variables across app, CI, build, Docker; renamed secret variable (AUTH_SECRET) and removed the deprecated URL variable.

• Improvements

  • Scheduled action execution now targets the public base URL.
  • Test workflow env var renamed to AUTH_SECRET.

• Notes

  • Added runtime check requiring at least one auth secret; no other user-facing behavior changes.

[vercel]

@edulelis is attempting to deploy a commit to the Inbox Zero OSS Program Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

Switches scheduling base URL for QStash to use NEXT_PUBLIC_BASE_URL and renames/adjusts auth environment variables from NEXTAUTH_* to AUTH_SECRET across configs, docs, CI, and Docker; adds runtime validation requiring at least one secret. Minor comment removal in a React component. No exported API signature changes.

Changes

Cohort / File(s)	Change summary
QStash scheduling update .cursor/rules/features/delayed-actions.mdc	Use NEXT_PUBLIC_BASE_URL (env) instead of NEXTAUTH_URL as the base for the /api/scheduled-actions/execute callback URL; payload fields unchanged.
Auth env rename & validation apps/web/env.ts, apps/web/utils/auth.ts, apps/web/.env.example, apps/web/app/(landing)/login/error/AutoLogOut.tsx	Add AUTH_SECRET, make NEXTAUTH_SECRET optional, remove NEXTAUTH_URL and AUTH_TRUST_HOST from schema/examples; runtime check enforces at least one secret; auth config now sources `env.AUTH_SECRET
CI / build / docker / tooling updates .github/workflows/test.yml, docker/Dockerfile.prod, turbo.json, README.md	Replace NEXTAUTH_SECRET usages with AUTH_SECRET in build/CI/docker env declarations and README examples; remove NEXTAUTH_URL from build envs; keep dummy secret values unchanged where applicable.
Docs rename ARCHITECTURE.md, README.md	Rename references from NextAuth.js to Better Auth and update listed env/secret names in documentation and Deploy button params.

Sequence Diagram(s)

sequenceDiagram
  participant Scheduler as QStash Scheduler
  participant App as Web App (build config)
  participant Endpoint as /api/scheduled-actions/execute

  Note over App,Scheduler: Scheduling request is created by app
  App->>Scheduler: POST schedule (callbackUrl: ${NEXT_PUBLIC_BASE_URL}/api/scheduled-actions/execute, notBefore, body, deduplicationId)
  Scheduler->>Endpoint: GET/POST callback at ${NEXT_PUBLIC_BASE_URL}/api/scheduled-actions/execute
  Endpoint->>Endpoint: Execute scheduledActionId (process)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15 minutes

Possibly related PRs

• Update migrations #638 — Related change switching uses to NEXT_PUBLIC_BASE_URL; directly connected to the QStash callback URL update.
• add AUTH_TRUST_HOST configuration to .env.example and env.ts #580 — Previously added/modified auth env handling (AUTH_TRUST_HOST vs removal here); intersects with env schema edits.
• feat: Add Docker build and publish CI for web app #418 — Modifies Dockerfile env declarations; related to replacing NEXTAUTH_* with AUTH_SECRET in Docker build config.

Poem

A rabbit taps the env with care,
Swaps secrets, hops from here to there.
QStash now finds the base at play,
Docs and Docker join the relay.
Little hops, big change—hip hooray! 🥕

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[jit-ci]

❌ Jit has detected 1 important finding in this PR that you should review.
The finding is detailed below as a comment.
It’s highly recommended that you fix this security issue before merge.

[coderabbitai]

Actionable comments posted: 4

🔭 Outside diff range comments (3)

.github/workflows/test.yml (1)

42-55: Add NEXT_PUBLIC_BASE_URL to CI env to avoid build/test env parsing failures.
If apps/web/env.ts validates NEXT_PUBLIC_BASE_URL (common with zod schemas), tests/build may fail without it. Add a sensible default for CI.

Apply this diff:

       - name: Run tests
         run: pnpm -F inbox-zero-ai test
         env:
           RUN_AI_TESTS: false
           DATABASE_URL: "postgresql://postgres:postgres@localhost:5432/postgres"
           BETTER_AUTH_SECRET: "secret"
+          NEXT_PUBLIC_BASE_URL: "http://localhost:3000"
           GOOGLE_CLIENT_ID: "client_id"
           GOOGLE_CLIENT_SECRET: "client_secret"
           MICROSOFT_CLIENT_ID: "client_id"
           MICROSOFT_CLIENT_SECRET: "client_secret"
           GOOGLE_PUBSUB_TOPIC_NAME: "topic"
           EMAIL_ENCRYPT_SECRET: "secret"
           EMAIL_ENCRYPT_SALT: "salt"
           INTERNAL_API_KEY: "secret"

docker/Dockerfile.prod (1)

35-52: Add NEXT_PUBLIC_BASE_URL to build-time env to satisfy env schema at build.
If env.ts requires NEXT_PUBLIC_BASE_URL (string().min(1)), Next build will fail without it.

Apply this diff:

 ENV DIRECT_URL="postgresql://dummy:dummy@dummy:5432/dummy?schema=public"
 ENV BETTER_AUTH_SECRET="dummy_secret_for_build_only"
+ENV NEXT_PUBLIC_BASE_URL="http://localhost:3000"
 ENV GOOGLE_CLIENT_ID="dummy_id_for_build_only"
 ENV GOOGLE_CLIENT_SECRET="dummy_secret_for_build_only"

apps/web/env.ts (1)

16-123: Remove leftover AUTH_TRUST_HOST in apps/web/.env.example

Found one leftover reference; no NEXTAUTH_* matches were found.

• apps/web/.env.example:5 — AUTH_TRUST_HOST= # Set to \true` if running with Docker. See https://authjs.dev/getting-started/deployment#auth_trust_host`

Suggested action: remove or update this line in .env.example to avoid referencing deprecated NextAuth envs (or clarify if still intentionally kept).

🧹 Nitpick comments (4)

.github/workflows/test.yml (1)

46-47: Address Checkov secret exposure warning (CKV_SECRET_4).
These are dummy values, but static analyzers will flag them. Prefer GitHub Encrypted Secrets for anything that could become non-dummy later.

Optionally switch to GitHub Secrets for CI:

-          BETTER_AUTH_SECRET: "secret"
+          BETTER_AUTH_SECRET: ${{ secrets.BETTER_AUTH_SECRET || 'secret' }}

Note: If you don’t want expression logic, keep the literal "secret" but add a repository secret later and update CI when ready.

README.md (1)

126-128: Optional: Update OAuth docs links away from next-auth references.
These links still point to next-auth provider docs. Consider linking to Google/Microsoft official OAuth docs or Better Auth docs to align with the migration.

.cursor/rules/features/delayed-actions.mdc (1)

75-82: Server base URL strategy: consider a server-only BASE_URL instead of NEXT_PUBLIC_ usage.
Relying on NEXT_PUBLIC_BASE_URL in server-only paths can be surprising. Alternatively:

• Define a server-only BASE_URL and derive client URLs from window.location when needed; or
• Prefer Vercel’s runtime env (e.g., VERCEL_URL) when available to avoid manual configuration.

docker/Dockerfile.prod (1)

35-52: Optional: Avoid persisting dummy secrets as ENV in final image.
Using ENV bakes defaults into the image. If strictly build-time, prefer ARG to avoid leaking in image metadata. Keep ENV only for values that must exist at runtime without overrides.

Example pattern:

# build-time only
ARG NEXT_PUBLIC_BASE_URL="http://localhost:3000"
ARG BETTER_AUTH_SECRET="dummy_secret_for_build_only"
# Use them during build steps if needed:
# RUN --mount=type=secret,id=... <build command>

# At runtime, rely on docker run -e ... to inject real values.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f7802b6 and e4e4324.

📒 Files selected for processing (10)

• .cursor/rules/features/delayed-actions.mdc (1 hunks)
• .github/workflows/test.yml (1 hunks)
• ARCHITECTURE.md (2 hunks)
• README.md (2 hunks)
• apps/web/.env.example (1 hunks)
• apps/web/app/(landing)/login/error/AutoLogOut.tsx (0 hunks)
• apps/web/env.ts (1 hunks)
• apps/web/utils/auth.ts (1 hunks)
• docker/Dockerfile.prod (1 hunks)
• turbo.json (1 hunks)

💤 Files with no reviewable changes (1)

• apps/web/app/(landing)/login/error/AutoLogOut.tsx

🧰 Additional context used

📓 Path-based instructions (15)

!{.cursor/rules/*.mdc}

📄 CodeRabbit Inference Engine (.cursor/rules/cursor-rules.mdc)

Never place rule files in the project root, in subdirectories outside .cursor/rules, or in any other location

Files:

• .cursor/rules/features/delayed-actions.mdc
• ARCHITECTURE.md
• apps/web/utils/auth.ts
• turbo.json
• apps/web/env.ts
• README.md
• .github/workflows/test.yml
• docker/Dockerfile.prod
• apps/web/.env.example

!pages/_document.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/ultracite.mdc)

!pages/_document.{js,jsx,ts,tsx}: Don't import next/document outside of pages/_document.jsx in Next.js projects.
Don't import next/document outside of pages/_document.jsx in Next.js projects.

Files:

• .cursor/rules/features/delayed-actions.mdc
• ARCHITECTURE.md
• apps/web/utils/auth.ts
• turbo.json
• apps/web/env.ts
• README.md
• .github/workflows/test.yml
• docker/Dockerfile.prod
• apps/web/.env.example

*{TASKS,ASSISTANT_CHAT,*.md}

📄 CodeRabbit Inference Engine (.cursor/rules/task-list.mdc)

*{TASKS,ASSISTANT_CHAT,*.md}: Create task lists in a markdown file in the project root, using TASKS.md or a descriptive name relevant to the feature (e.g., ASSISTANT_CHAT.md), and include a clear title and description of the feature being implemented.
Structure the task list markdown file with sections: Completed Tasks, In Progress Tasks, Future Tasks, Implementation Plan, and Relevant Files.
Update the task list as you progress: mark tasks as completed by changing [ ] to [x], add new tasks as identified, and move tasks between sections as appropriate.
Keep the 'Relevant Files' section updated with file paths, brief descriptions of each file's purpose, and status indicators (e.g., ✅) for completed components.
Add implementation details to the task list markdown file, including architecture decisions, data flow descriptions, technical components needed, and environment configuration.
When working with task lists, regularly update the task list file after implementing significant components, mark completed tasks with [x], add new tasks discovered during implementation, maintain the 'Relevant Files' section, and document implementation details.
When implementing tasks one by one, first check which task to implement next, and after implementing a task, update the file to reflect progress.

Files:

• ARCHITECTURE.md
• README.md

apps/web/**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Path aliases: Use @/ for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Leverage TypeScript inference for better DX

Files:

• apps/web/utils/auth.ts
• apps/web/env.ts

**/*.ts

📄 CodeRabbit Inference Engine (.cursor/rules/form-handling.mdc)

**/*.ts: The same validation should be done in the server action too
Define validation schemas using Zod

Files:

• apps/web/utils/auth.ts
• apps/web/env.ts

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/logging.mdc)

**/*.{ts,tsx}: Use createScopedLogger for logging in backend TypeScript files
Typically add the logger initialization at the top of the file when using createScopedLogger
Only use .with() on a logger instance within a specific function, not for a global logger

Import Prisma in the project using import prisma from "@/utils/prisma";

**/*.{ts,tsx}: Don't use TypeScript enums.
Don't use TypeScript const enum.
Don't use the TypeScript directive @ts-ignore.
Don't use primitive type aliases or misleading types.
Don't use empty type parameters in type aliases and interfaces.
Don't use any or unknown as type constraints.
Don't use implicit any type on variable declarations.
Don't let variables evolve into any type through reassignments.
Don't use non-null assertions with the ! postfix operator.
Don't misuse the non-null assertion operator (!) in TypeScript files.
Don't use user-defined types.
Use as const instead of literal types and type annotations.
Use export type for types.
Use import type for types.
Don't declare empty interfaces.
Don't merge interfaces and classes unsafely.
Don't use overload signatures that aren't next to each other.
Use the namespace keyword instead of the module keyword to declare TypeScript namespaces.
Don't use TypeScript namespaces.
Don't export imported variables.
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions.
Don't use parameter properties in class constructors.
Use either T[] or Array consistently.
Initialize each enum member value explicitly.
Make sure all enum members are literal values.

Files:

• apps/web/utils/auth.ts
• apps/web/env.ts

apps/web/utils/**

📄 CodeRabbit Inference Engine (.cursor/rules/project-structure.mdc)

Create utility functions in utils/ folder for reusable logic

Files:

• apps/web/utils/auth.ts

apps/web/utils/**/*.ts

📄 CodeRabbit Inference Engine (.cursor/rules/project-structure.mdc)

apps/web/utils/**/*.ts: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size

Files:

• apps/web/utils/auth.ts

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use elements in Next.js projects.
Don't use elements in Next.js projects.
Don't use namespace imports.
Don't access namespace imports dynamically.
Don't use global eval().
Don't use console.
Don't use debugger.
Don't use var.
Don't use with statements in non-strict contexts.
Don't use the arguments object.
Don't use consecutive spaces in regular expression literals.
Don't use the comma operator.
Don't use unnecessary boolean casts.
Don't use unnecessary callbacks with flatMap.
Use for...of statements instead of Array.forEach.
Don't create classes that only have static members (like a static namespace).
Don't use this and super in static contexts.
Don't use unnecessary catch clauses.
Don't use unnecessary constructors.
Don't use unnecessary continue statements.
Don't export empty modules that don't change anything.
Don't use unnecessary escape sequences in regular expression literals.
Don't use unnecessary labels.
Don't use unnecessary nested block statements.
Don't rename imports, exports, and destructured assignments to the same name.
Don't use unnecessary string or template literal concatenation.
Don't use String.raw in template literals when there are no escape sequences.
Don't use useless case statements in switch statements.
Don't use ternary operators when simpler alternatives exist.
Don't use useless this aliasing.
Don't initialize variables to undefined.
Don't use the void operators (they're not familiar).
Use arrow functions instead of function expressions.
Use Date.now() to get milliseconds since the Unix Epoch.
Use .flatMap() instead of map().flat() when possible.
Use literal property access instead of computed property access.
Don't use parseInt() or Number.parseInt() when binary, octal, or hexadecimal literals work.
Use concise optional chaining instead of chained logical expressions.
Use regular expression literals instead of the RegExp constructor when possible.
Don't use number literal object member names th...

Files:

• apps/web/utils/auth.ts
• apps/web/env.ts

turbo.json

📄 CodeRabbit Inference Engine (.cursor/rules/environment-variables.mdc)

When adding a new environment variable, add it to turbo.json under tasks.build.env to ensure it is included in the build process.

Files:

• turbo.json

apps/web/**/{.env.example,env.ts,turbo.json}

📄 CodeRabbit Inference Engine (apps/web/CLAUDE.md)

Add environment variables to .env.example, env.ts, and turbo.json

Files:

• apps/web/env.ts
• apps/web/.env.example

apps/web/**/{.env.example,env.ts}

📄 CodeRabbit Inference Engine (apps/web/CLAUDE.md)

Client-side environment variables: Prefix with NEXT_PUBLIC_

Files:

• apps/web/env.ts
• apps/web/.env.example

apps/web/env.ts

📄 CodeRabbit Inference Engine (.cursor/rules/environment-variables.mdc)

apps/web/env.ts: When adding a new environment variable, add it to apps/web/env.ts in the appropriate section: use server for server-only variables, and for client-side variables, use the client section and also add to experimental__runtimeEnv.
Client-side environment variables must be prefixed with NEXT_PUBLIC_ and added to both the client and experimental__runtimeEnv sections in apps/web/env.ts.

Files:

• apps/web/env.ts

apps/web/.env.example

📄 CodeRabbit Inference Engine (.cursor/rules/environment-variables.mdc)

When adding a new environment variable, add it to .env.example with an example value (e.g., NEW_VARIABLE=value_example).

Files:

• apps/web/.env.example

**/.env*

📄 CodeRabbit Inference Engine (.cursor/rules/security.mdc)

Never use predictable or weak cron secrets (e.g., 'secret', 'password', 'cron', or short/simple strings) in environment variables.

Files:

• apps/web/.env.example

🧠 Learnings (10)

📓 Common learnings

Learnt from: CR
PR: elie222/inbox-zero#0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-07-18T15:04:30.467Z
Learning: Applies to apps/web/**/{.env.example,env.ts} : Client-side environment variables: Prefix with `NEXT_PUBLIC_`

Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-07-18T15:04:50.520Z
Learning: Applies to apps/web/env.ts : Client-side environment variables must be prefixed with `NEXT_PUBLIC_` and added to both the `client` and `experimental__runtimeEnv` sections in `apps/web/env.ts`.

📚 Learning: 2025-07-19T17:50:28.270Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-07-19T17:50:28.270Z
Learning: The `utils` folder also contains core app logic such as Next.js Server Actions and Gmail API requests.

Applied to files:

• ARCHITECTURE.md

📚 Learning: 2025-07-20T09:00:41.968Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-07-20T09:00:41.968Z
Learning: Applies to apps/web/app/api/**/*.{ts,js} : Do not hardcode weak or plaintext secrets in API route files; secrets must not be directly assigned as string literals.

Applied to files:

• apps/web/utils/auth.ts

📚 Learning: 2025-07-18T15:04:30.467Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-07-18T15:04:30.467Z
Learning: Applies to apps/web/**/{.env.example,env.ts} : Client-side environment variables: Prefix with `NEXT_PUBLIC_`

Applied to files:

• apps/web/utils/auth.ts
• turbo.json
• apps/web/env.ts
• README.md
• apps/web/.env.example

📚 Learning: 2025-07-18T15:04:50.520Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-07-18T15:04:50.520Z
Learning: Applies to apps/web/env.ts : Client-side environment variables must be prefixed with `NEXT_PUBLIC_` and added to both the `client` and `experimental__runtimeEnv` sections in `apps/web/env.ts`.

Applied to files:

• apps/web/utils/auth.ts
• apps/web/env.ts
• README.md
• apps/web/.env.example

📚 Learning: 2025-07-18T15:04:50.520Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-07-18T15:04:50.520Z
Learning: Applies to turbo.json : When adding a new environment variable, add it to `turbo.json` under `tasks.build.env` to ensure it is included in the build process.

Applied to files:

• turbo.json

📚 Learning: 2025-07-18T15:04:30.467Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-07-18T15:04:30.467Z
Learning: Applies to apps/web/**/{.env.example,env.ts,turbo.json} : Add environment variables to `.env.example`, `env.ts`, and `turbo.json`

Applied to files:

• turbo.json
• apps/web/env.ts
• apps/web/.env.example

📚 Learning: 2025-07-18T15:04:50.520Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-07-18T15:04:50.520Z
Learning: Applies to apps/web/env.ts : When adding a new environment variable, add it to `apps/web/env.ts` in the appropriate section: use `server` for server-only variables, and for client-side variables, use the `client` section and also add to `experimental__runtimeEnv`.

Applied to files:

• apps/web/env.ts

📚 Learning: 2025-07-18T15:04:50.520Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-07-18T15:04:50.520Z
Learning: Applies to apps/web/.env.example : When adding a new environment variable, add it to `.env.example` with an example value (e.g., NEW_VARIABLE=value_example).

Applied to files:

• apps/web/.env.example

📚 Learning: 2025-07-19T15:06:43.730Z

Learnt from: garnertb
PR: elie222/inbox-zero#580
File: apps/web/.env.example:4-7
Timestamp: 2025-07-19T15:06:43.730Z
Learning: In apps/web/.env.example, boolean environment variables follow an unquoted convention (e.g., LOG_ZOD_ERRORS=true, AUTH_TRUST_HOST=true). Logical grouping of related variables (like auth variables together) is preferred over strict alphabetical ordering for better developer experience.

Applied to files:

• apps/web/.env.example

🧬 Code Graph Analysis (1)

apps/web/utils/auth.ts (1)

apps/web/env.ts (1)

• env (16-224)

🪛 Checkov (3.2.334)

.github/workflows/test.yml

[MEDIUM] 46-47: Basic Auth Credentials

(CKV_SECRET_4)

🪛 dotenv-linter (3.3.0)

apps/web/.env.example

[warning] 4-4: [SpaceCharacter] The line has spaces around equal sign

---

[warning] 4-4: [ValueWithoutQuotes] This value needs to be surrounded in quotes

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Jit Security

🔇 Additional comments (9)

.github/workflows/test.yml (1)

47-47: Correct variable rename to BETTER_AUTH_SECRET in CI.
The rename aligns with the PR objective and the broader changes. No functional issues.

turbo.json (2)

10-10: BETTER_AUTH_SECRET added to build env – good.
Matches the migration away from NEXTAUTH_* and ensures availability during build.

---

109-128: NEXT_PUBLIC_BASE_URL present in build env – good catch.
This supports the QStash scheduling change using NEXT_PUBLIC_BASE_URL.

.cursor/rules/features/delayed-actions.mdc (1)

75-82: No action needed — NEXT_PUBLIC_BASE_URL is present in apps/web/env.ts (client schema + experimental__runtimeEnv)

Confirmed: NEXT_PUBLIC_BASE_URL is declared in the client zod schema and also exposed via experimental__runtimeEnv, so server-side scheduling code can access it.

• apps/web/env.ts — client schema (line ~149): NEXT_PUBLIC_BASE_URL: z.string().default("https://www.getinboxzero.com")
• apps/web/env.ts — experimental__runtimeEnv (line ~206): NEXT_PUBLIC_BASE_URL: process.env.NEXT_PUBLIC_BASE_URL

docker/Dockerfile.prod (1)

37-37: BETTER_AUTH_SECRET build-time dummy env added – consistent with migration.
This keeps builds unblocked and aligns with the rename.

ARCHITECTURE.md (2)

40-40: Docs rename to Better Auth looks correct

Accurate terminology update; matches the PR objective of removing NextAuth references.

---

119-119: Auth endpoints path looks consistent

“/api/auth/*” aligns with Better Auth’s default route namespace.

apps/web/env.ts (1)

21-21: Switch to server-only BETTER_AUTH_SECRET is correct

Good replacement for NEXTAUTH_SECRET and aligned with env management via @t3-oss/env-nextjs.

apps/web/utils/auth.ts (1)

46-46: Using env.BETTER_AUTH_SECRET in betterAuth config looks good

Aligned with the new server env and removes direct NEXTAUTH_SECRET usage.

[jit-ci]

❌ Jit has detected 1 important finding in this PR that you should review.
The finding is detailed as a comment.
It’s highly recommended that you fix this security issue before merge.

Until now, you ignored/fixed 1 finding.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

apps/web/.env.example (1)

4-4: Provide an example value and fix dotenv-linter warnings for AUTH_SECRET.

Move the comment to its own line and add a quoted example value to satisfy SpaceCharacter/ValueWithoutQuotes rules.

Apply this diff:

-AUTH_SECRET= # Generate a random secret here: https://generate-secret.vercel.app/32
+# Generate a random secret here: https://generate-secret.vercel.app/32
+AUTH_SECRET="example_32_char_secret_value"

Follow-up:

• If the app now relies on NEXT_PUBLIC_BASE_URL (per PR summary), ensure it’s added here with an example value and wired in apps/web/env.ts and turbo.json per our guidelines.

🧹 Nitpick comments (1)

docker/Dockerfile.prod (1)

37-37: Avoid baking auth secrets into the final image; make the dummy nature explicit or confine to a build stage.

These are dummy placeholders, but ENV persists in the final image. At minimum, make the value clearly non-sensitive to avoid scanners; ideally, use a multi-stage build and only set ENV in the build stage.

Minimal change to reduce scanner noise:

-ENV AUTH_SECRET="dummy_secret_for_build_only"
+ENV AUTH_SECRET="build_only_example_secret_do_not_use_in_prod_1234567890"

Longer-term: move ENV declarations (including AUTH_SECRET) to a dedicated "builder" stage and copy only build artifacts into the final runtime image so these values don’t ship at all. I can draft a multi-stage Dockerfile if helpful.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e4e4324 and cf25fc4.

📒 Files selected for processing (8)

• .cursor/rules/features/delayed-actions.mdc (1 hunks)
• .github/workflows/test.yml (1 hunks)
• README.md (2 hunks)
• apps/web/.env.example (1 hunks)
• apps/web/env.ts (2 hunks)
• apps/web/utils/auth.ts (1 hunks)
• docker/Dockerfile.prod (1 hunks)
• turbo.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (5)

• .cursor/rules/features/delayed-actions.mdc
• apps/web/utils/auth.ts
• turbo.json
• apps/web/env.ts
• README.md

🧰 Additional context used

📓 Path-based instructions (6)

!{.cursor/rules/*.mdc}

📄 CodeRabbit Inference Engine (.cursor/rules/cursor-rules.mdc)

Never place rule files in the project root, in subdirectories outside .cursor/rules, or in any other location

Files:

• docker/Dockerfile.prod
• apps/web/.env.example
• .github/workflows/test.yml

!pages/_document.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/ultracite.mdc)

!pages/_document.{js,jsx,ts,tsx}: Don't import next/document outside of pages/_document.jsx in Next.js projects.
Don't import next/document outside of pages/_document.jsx in Next.js projects.

Files:

• docker/Dockerfile.prod
• apps/web/.env.example
• .github/workflows/test.yml

apps/web/**/{.env.example,env.ts,turbo.json}

📄 CodeRabbit Inference Engine (apps/web/CLAUDE.md)

Add environment variables to .env.example, env.ts, and turbo.json

Files:

• apps/web/.env.example

apps/web/**/{.env.example,env.ts}

📄 CodeRabbit Inference Engine (apps/web/CLAUDE.md)

Client-side environment variables: Prefix with NEXT_PUBLIC_

Files:

• apps/web/.env.example

apps/web/.env.example

📄 CodeRabbit Inference Engine (.cursor/rules/environment-variables.mdc)

When adding a new environment variable, add it to .env.example with an example value (e.g., NEW_VARIABLE=value_example).

Files:

• apps/web/.env.example

**/.env*

📄 CodeRabbit Inference Engine (.cursor/rules/security.mdc)

Never use predictable or weak cron secrets (e.g., 'secret', 'password', 'cron', or short/simple strings) in environment variables.

Files:

• apps/web/.env.example

🧠 Learnings (7)

📓 Common learnings

Learnt from: CR
PR: elie222/inbox-zero#0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-07-18T15:04:30.467Z
Learning: Applies to apps/web/**/{.env.example,env.ts} : Client-side environment variables: Prefix with `NEXT_PUBLIC_`

📚 Learning: 2025-07-18T15:04:30.467Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-07-18T15:04:30.467Z
Learning: Applies to apps/web/**/{.env.example,env.ts} : Client-side environment variables: Prefix with `NEXT_PUBLIC_`

Applied to files:

• docker/Dockerfile.prod
• apps/web/.env.example

📚 Learning: 2025-07-18T15:04:50.520Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-07-18T15:04:50.520Z
Learning: Applies to apps/web/.env.example : When adding a new environment variable, add it to `.env.example` with an example value (e.g., NEW_VARIABLE=value_example).

Applied to files:

• apps/web/.env.example

📚 Learning: 2025-07-18T15:04:30.467Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-07-18T15:04:30.467Z
Learning: Applies to apps/web/**/{.env.example,env.ts,turbo.json} : Add environment variables to `.env.example`, `env.ts`, and `turbo.json`

Applied to files:

• apps/web/.env.example

📚 Learning: 2025-07-18T15:04:50.520Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-07-18T15:04:50.520Z
Learning: Applies to apps/web/env.ts : Client-side environment variables must be prefixed with `NEXT_PUBLIC_` and added to both the `client` and `experimental__runtimeEnv` sections in `apps/web/env.ts`.

Applied to files:

• apps/web/.env.example

📚 Learning: 2025-07-19T15:06:43.730Z

Learnt from: garnertb
PR: elie222/inbox-zero#580
File: apps/web/.env.example:4-7
Timestamp: 2025-07-19T15:06:43.730Z
Learning: In apps/web/.env.example, boolean environment variables follow an unquoted convention (e.g., LOG_ZOD_ERRORS=true, AUTH_TRUST_HOST=true). Logical grouping of related variables (like auth variables together) is preferred over strict alphabetical ordering for better developer experience.

Applied to files:

• apps/web/.env.example

📚 Learning: 2025-07-18T17:27:46.389Z

Learnt from: CR
PR: elie222/inbox-zero#0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-07-18T17:27:46.389Z
Learning: Applies to **/.env* : Never use predictable or weak cron secrets (e.g., 'secret', 'password', 'cron', or short/simple strings) in environment variables.

Applied to files:

• apps/web/.env.example

🪛 dotenv-linter (3.3.0)

apps/web/.env.example

[warning] 4-4: [SpaceCharacter] The line has spaces around equal sign

(SpaceCharacter)

---

[warning] 4-4: [ValueWithoutQuotes] This value needs to be surrounded in quotes

(ValueWithoutQuotes)

🪛 Checkov (3.2.334)

.github/workflows/test.yml

[MEDIUM] 46-47: Basic Auth Credentials

(CKV_SECRET_4)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Jit Security

[jit-ci]

❌ Jit has detected 1 important finding in this PR that you should review.
The finding is detailed as a comment.
It’s highly recommended that you fix this security issue before merge.

Until now, you ignored/fixed 2 findings.

[jit-ci]

Security control: Docker Scan

Secrets Passed Via Build-Args Or Envs Or Copied Secret Files

Passing secrets via build-args or envs or copying secret files can leak them out

Severity: CRITICAL

Learn more about this issue

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_ignore_type_in_file Ignore any finding of type "Secrets passed via build-args or envs or copied secret files" in docker/Dockerfile.prod; future occurrences will also be ignored.
• #jit_undo_ignore Undo ignore command

[edulelis]

Adding this check here as zod refine won't work for createEnv
createEnv package console.log an throws the error.
https://github.com/t3-oss/t3-env/blob/92d2966dfecbb0d99e6e37be2b01a161a2d6d069/packages/core/src/index.ts#L378-L379

[edulelis]

Should both these vars stay here?