Skip to content

docs(server): replace stale root .env-sample with apps/server/.env.example#38

Merged
andrewshell merged 3 commits into
mainfrom
docs/server-env-example
Jul 1, 2026
Merged

docs(server): replace stale root .env-sample with apps/server/.env.example#38
andrewshell merged 3 commits into
mainfrom
docs/server-env-example

Conversation

@andrewshell

@andrewshell andrewshell commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

What

Replaces the stale, misplaced root .env-sample with an accurate apps/server/.env.example.

Why

  • The server loads .env via dotenv from apps/server (that's the cwd pnpm start runs in), but the only sample sat at the repo root — so cp .env-sample .env never landed where the server actually reads.
  • The old sample carried just DOMAIN/PORT. The new one documents every config key with its default, and ships the loopback SSRF allowlists needed to run the hub against the local client harness (which serves its feed + WebSub callback on http://localhost:9000), now that the egress guard is always on — with a clear "delete for production" warning.

Notes

  • cp apps/server/.env.example apps/server/.env now gives a working local hub that interoperates with apps/client.
  • Verified locally: with these values the hub re-fetches the loopback feed and sends the WebSub verification GET to the loopback callback through the always-on guard, and records the subscription.
  • No README or script referenced the old sample, so nothing else needed updating.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated the server’s sample environment configuration with a fuller local-development template, including hub identity settings and SSRF egress-guard allowlists for WebSub fetch/callback traffic.
    • Removed outdated top-level sample environment entries and clarified optional override settings (URLs/paths, timing/throttling, lease/expiration, size limits, and test-only API enablement).
    • Tightened dependency resolution by adding an explicit js-yaml override in the root configuration.

…ample

The server reads .env from apps/server via dotenv, but the only sample lived at
the repo root and carried just DOMAIN/PORT. Move it to apps/server/.env.example
(where `cp` actually helps) and document every config key with defaults.

Include the loopback SSRF allowlists needed to run the hub against the local
client harness (feed + callback on http://localhost:9000), now that the egress
guard is always on — with a clear "delete for production" warning.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 99748e5d-bc2b-481c-be70-58d947a61215

📥 Commits

Reviewing files that changed from the base of the PR and between 6335b56 and 901016c.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json

📝 Walkthrough

Walkthrough

The changes add a server environment example with hub identity and WebSub allowlist settings, and update the root package overrides to pin js-yaml.

Changes

Configuration updates

Layer / File(s) Summary
Server env template
apps/server/.env.example
Adds a full server environment template with required hub identity variables, loopback allowlists for WebSub fetch and callback traffic, and commented optional overrides for URLs, paths, timeouts, leases, signatures, stats, housekeeping, and a test-only API flag.
Package override
package.json
Adds a js-yaml override to pnpm.overrides alongside the existing form-data constraint.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Poem

A bunny hops through config lanes,
With tidy envs and fewer pains.
A yaml pin lands just in time,
While WebSub guards keep paths in line.
🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: replacing the root .env-sample with apps/server/.env.example.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/server-env-example

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/server/.env.example`:
- Around line 28-29: The env template ordering in apps/server/.env.example is
triggering the dotenv-linter warning because WEBSUB_FETCH_ALLOW_CIDRS is listed
before WEBSUB_CALLBACK_ALLOW_CIDRS. Reorder these two entries so
WEBSUB_CALLBACK_ALLOW_CIDRS appears first, keeping the same values, to align
with the linter’s expected key order and avoid CI failures.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8011d0b6-78f9-4af2-82da-63a6e01bae2c

📥 Commits

Reviewing files that changed from the base of the PR and between 2ae15ef and c5e3545.

📒 Files selected for processing (2)
  • .env-sample
  • apps/server/.env.example
💤 Files with no reviewable changes (1)
  • .env-sample

Comment thread apps/server/.env.example Outdated
andrewshell and others added 2 commits July 1, 2026 13:00
Keep WEBSUB_CALLBACK_ALLOW_CIDRS before WEBSUB_FETCH_ALLOW_CIDRS so all active
keys are in ascending order (satisfies dotenv-linter's UnorderedKey). Values and
comments unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…rp68

js-yaml 4.1.1 (dev-only, transitive via eslint's @eslint/eslintrc) carries a
medium-severity quadratic-complexity DoS in YAML merge-key handling. Pin the
override to ^4.2.0 (resolves 4.3.0) — patched and within eslintrc's ^4.x range.
A bare >=4.2.0 would jump to the incompatible js-yaml 5.x.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@andrewshell andrewshell merged commit 66eb163 into main Jul 1, 2026
3 of 4 checks passed
@andrewshell andrewshell deleted the docs/server-env-example branch July 1, 2026 18:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant