docs: add comprehensive environment variable setup guide

[cubxxw]

User description

Summary

This PR adds comprehensive documentation for environment variable setup to help new users properly configure the project.

Changes

• ✅ Created docs/ENV_SETUP.md with detailed setup instructions
• ✅ Clarified required vs optional environment variables
• ✅ Documented security best practices for API key management
• ✅ Added step-by-step setup instructions

Problem Solved

This addresses the confusion about environment variable configuration that was identified in the codebase analysis, specifically:

• Removes potential confusion about OR_SITE_URL vs REACT_APP_OPENROUTER_API_KEY
• Provides clear guidance for new users setting up the project
• Documents security best practices for API key handling

Testing

• Documentation reviewed for accuracy
• Setup instructions tested locally
• Links and references verified

Related Issues

Fixes environment variable configuration questions raised in codebase analysis.

🤖 Generated with Claude Code

---

Description

• Introduced a detailed guide for environment variable setup to assist new users.
• Clarified the distinction between required and optional environment variables.
• Documented best practices for API key security.
• Provided clear, step-by-step instructions for setting up the environment.

---

Changes walkthrough 📝

	Relevant files
Documentation	ENV_SETUP.md Comprehensive Environment Variable Setup Documentation      docs/ENV_SETUP.md Added comprehensive environment variable setup guide. Clarified required and optional environment variables. Documented security best practices for API key management. Provided step-by-step setup instructions. +30/-0

---

💡 Penify usage:
Comment /help on the PR to get a list of all available Penify tools and their descriptions

Summary by CodeRabbit

• Documentation
  • Added an environment setup guide with required API key details, optional env vars with defaults, setup steps, and security best practices.
• Bug Fixes
  • Save action in the UI now logs saved tests instead of updating the currently selected test.
• Tests
  • Cleaned up and simplified tests by removing unused imports/variables and replacing some wait-based assertions with direct async queries.
• Chores
  • Audit configuration updated to allowlist two advisories.

[coderabbitai]

Walkthrough

Adds ENV setup documentation, changes App.tsx to log saved tests instead of updating selection state, updates multiple tests to remove unused imports and simplify assertions/ESLint directives, removes one unused test variable, and adds two advisories to the audit allowlist.

Changes

Cohort / File(s)	Summary
Documentation: Environment Setup docs/ENV_SETUP.md	New documentation describing required REACT_APP_OPENROUTER_API_KEY (source and example), optional vars with defaults (REACT_APP_APP_NAME, REACT_APP_APP_VERSION, REACT_APP_API_BASE_URL), setup steps (.env from .env.example) and security guidance (gitignore, do not share keys, use env-specific keys).
UI: Save handler change src/App.tsx	Replaced the onSave handler passed to OutputPanel: previously it invoked setSelectedPromptTest(test) to update component state; now it is an inline function that logs the saved test to the console and does not update selection state.
Tests: imports, assertions, ESLint src/components/ChatPanel.test.tsx, src/components/JsonlRenderer.test.tsx, src/components/NextStepChat.test.tsx, src/components/OutputPanel.test.tsx, src/components/SavedTests.test.tsx	Removed unused imports (ChatMessage, fireEvent/waitFor where unused), added/adjusted ESLint testing-library directives in JsonlRenderer.test.tsx, replaced waitFor-based assertions with Testing Library async find queries in NextStepChat.test.tsx, and removed an unused mocked import (deletePromptTest) in SavedTests.test.tsx. Test behaviors unchanged.
Tests: dead-code removal src/utils/storage.test.ts	Removed an unused local variable (conversation) from a test; no behavior or public API changes.
Audit configuration audit-ci.json	Updated allowlist to include two advisories: GHSA-rp65-9cf3-cjxr and nth-check (exceptions for audit-ci).

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant OutputPanel
    participant App
    participant Console

    rect rgb(231,244,255)
    User->>OutputPanel: Click "Save" (save test)
    OutputPanel->>App: onSave(test)
    end

    par Previous behavior
        note right of App #e6f7e6: Old flow — updated selection state
        App->>App: setSelectedPromptTest(test)
        App-->>User: UI reflects selected test
    and Current behavior
        note right of App #fff7e6: New flow — logs only
        App->>Console: console.log("Saved test", test)
        App-->>User: No selection state change
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

I nibble notes in docs so neat,
A .env burrow, cozy and discreet.
Keys tucked safe beneath the night,
Saved tests whisper — logged, not in sight.
Hop on, commit — carrot cheers tonight! 🥕

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Free

💡 Knowledge Base configuration:

• Jira integration is disabled
• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3bdc92e and 1785ed8.

📒 Files selected for processing (1)

• audit-ci.json (1 hunks)

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Join our Discord community for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[qodo-code-review]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Inaccurate Defaults The documented defaults for optional variables (like REACT_APP_API_BASE_URL) should be verified against the actual application defaults or .env.example to avoid drift and confusion. - `REACT_APP_APP_NAME`: Application name (default: "Prompt Tester") - `REACT_APP_APP_VERSION`: Application version (default: "1.0.0") - `REACT_APP_API_BASE_URL`: API base URL (default: https://openrouter.ai/api/v1) Frontend Env Prefix In many React setups only variables prefixed with REACT_APP_ (CRA) or VITE_ (Vite) are exposed; confirm this matches the build tool and note it explicitly to prevent misconfiguration. ## Required Environment Variables ### Core Configuration - `REACT_APP_OPENROUTER_API_KEY`: Your OpenRouter API key (required) - Get from: https://openrouter.ai/keys - Format: `sk-or-v1-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` ### Optional Configuration - `REACT_APP_APP_NAME`: Application name (default: "Prompt Tester") - `REACT_APP_APP_VERSION`: Application version (default: "1.0.0") - `REACT_APP_API_BASE_URL`: API base URL (default: https://openrouter.ai/api/v1)

[penify-dev]

PR Review 🔍

⏱️ Estimated effort to review [1-5]	2, because the changes are primarily documentation and straightforward, requiring minimal review effort.
🧪 Relevant tests	Yes
⚡ Possible issues	No
🔒 Security concerns	No

[qodo-code-review]

CI Feedback 🧐

(Feedback updated until commit c99d275)

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Lint & Test

Failed stage: Install dependencies [❌]

Failure summary: The action failed during dependency installation with pnpm due to a missing or incompatible lockfile: - Command: pnpm install --frozen-lockfile - pnpm reported: Ignoring not compatible lockfile at /home/runner/work/aireader/aireader/pnpm-lock.yaml - Error: ERR_PNPM_NO_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is absent - In CI, frozen-lockfile is true by default; installation requires a valid pnpm-lock.yaml or running with --no-frozen-lockfile.

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 165: ##[endgroup] 166: [command]/home/runner/setup-pnpm/node_modules/.bin/pnpm store path --silent 167: /home/runner/setup-pnpm/node_modules/.bin/store/v3 168: pnpm cache is not found 169: ##[group]Run pnpm install --frozen-lockfile 170: �[36;1mpnpm install --frozen-lockfile�[0m 171: shell: /usr/bin/bash -e {0} 172: env: 173: NODE_VERSION: 18 174: PNPM_VERSION: 8 175: PNPM_HOME: /home/runner/setup-pnpm/node_modules/.bin 176: ##[endgroup] 177: WARN  Ignoring not compatible lockfile at /home/runner/work/aireader/aireader/pnpm-lock.yaml 178: ERR_PNPM_NO_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is absent 179: Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile" 180: ##[error]Process completed with exit code 1. 181: Post job cleanup.

[penify-dev]

PR Code Suggestions ✨

Category	Suggestion	Score
Security	Emphasize the importance of keeping the .env file secure from public exposure Include a note about the importance of keeping the .env file secure and not exposing it in public repositories. docs/ENV_SETUP.md [29] -- Never share your API key publicly +- Never share your API key publicly, and ensure your `.env` file is not exposed in public repositories to prevent unauthorized access. Suggestion importance[1-10]: 8 Why: Emphasizing the importance of securing the .env file is crucial for preventing unauthorized access, making this a significant security improvement.	8
Best practice	Recommend tools for managing environment variables securely in production environments Suggest using a tool or method for managing environment variables in production to help users avoid hardcoding sensitive information. docs/ENV_SETUP.md [30] -- Use environment-specific keys for different deployments +- Use environment-specific keys for different deployments, and consider using tools like Docker secrets or AWS Secrets Manager for managing sensitive information securely. Suggestion importance[1-10]: 8 Why: Recommending tools for managing environment variables securely in production is a best practice that enhances security and maintainability.	8
Enhancement	Add explanations for the necessity of each environment variable to improve user comprehension Consider providing a brief explanation of why each environment variable is necessary to enhance understanding for users. docs/ENV_SETUP.md [6] -- `REACT_APP_OPENROUTER_API_KEY`: Your OpenRouter API key (required) +- `REACT_APP_OPENROUTER_API_KEY`: Your OpenRouter API key (required) - This key is essential for authenticating requests to the OpenRouter API. Suggestion importance[1-10]: 7 Why: Adding explanations for the necessity of each environment variable can improve user comprehension, but the suggestion does not address a critical issue.	7
	Introduce a verification step to ensure environment variables are correctly configured Add a section on how to verify that the environment variables are set correctly after configuration. docs/ENV_SETUP.md [30] -(No existing code for this suggestion) +## Verify Environment Variables +After setting up your `.env` file, you can verify that the environment variables are set correctly by running: +```bash +echo $REACT_APP_OPENROUTER_API_KEY +``` Suggestion importance[1-10]: 6 Why: Introducing a verification step is helpful for users, but it is not as critical as the other suggestions, thus receiving a moderate score.	6

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Warn about client-side secret exposure Clarify that REACT_APP_* variables are embedded into the client bundle and are publicly accessible. Advise using a backend proxy and keeping the OpenRouter API key server-side for production to avoid key exposure. Include guidance to rotate exposed keys immediately. docs/ENV_SETUP.md [26-30] ## Security Notes - `.env` files are automatically ignored by git - Never share your API key publicly - Use environment-specific keys for different deployments +- `REACT_APP_*` variables are embedded into the client bundle and are publicly readable; do not put secrets (like API keys) in them for production. +- Prefer a backend proxy to call OpenRouter and keep your secret key server-side; rotate keys immediately if it is ever exposed. Apply / Chat Suggestion importance[1-10]: 10 __ Why: This suggestion correctly identifies a critical security vulnerability where the REACT_APP_OPENROUTER_API_KEY is exposed on the client-side, and proposes adding a crucial warning and mitigation advice.	High
	Clarify server-side key usage Add an explicit caution that setting this in client-side env vars exposes the key publicly. Recommend using a server-side environment variable and routing requests through a backend in production. docs/ENV_SETUP.md [5-8] ### Core Configuration - `REACT_APP_OPENROUTER_API_KEY`: Your OpenRouter API key (required) - Get from: https://openrouter.ai/keys - Format: `sk-or-v1-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` + - Caution: In client-side apps, this will be exposed; for production, set the key on the server and call a backend endpoint instead of OpenRouter directly. Apply / Chat Suggestion importance[1-10]: 10 __ Why: This suggestion correctly identifies a critical security vulnerability by warning that the REACT_APP_OPENROUTER_API_KEY will be publicly exposed, and rightly recommends a server-side approach for production.	High
More

[Copilot]

Pull Request Overview

This PR adds comprehensive documentation for environment variable setup to help new users configure the project properly. The changes focus on creating clear setup instructions and security best practices for API key management.

• Created detailed environment variable setup documentation
• Cleaned up test files by removing unused imports and variables
• Updated audit configuration to allowlist specific advisories

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
docs/ENV_SETUP.md	New comprehensive guide for environment variable setup with required/optional variables and security practices
src/App.tsx	Changed save handler to log saved tests instead of updating selected test
src/utils/storage.test.ts	Removed unused conversation variable in test
src/components/SavedTests.test.tsx	Removed unused imports (waitFor, fireEvent, deletePromptTest)
src/components/OutputPanel.test.tsx	Removed unused waitFor import
src/components/NextStepChat.test.tsx	Replaced waitFor patterns with findBy queries and removed unused waitFor import
src/components/JsonlRenderer.test.tsx	Added eslint-disable comments and improved test assertions
src/components/ChatPanel.test.tsx	Removed unused ChatMessage import
audit-ci.json	Added allowlist for two security advisories

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Using console.log in production code is not recommended. Consider using a proper logging library or removing this debug statement for production builds.