refactor: .env.demo file

[pranalidhanavade]

What

• refactor: .env.demo file.
• Removed .env.sample file.

Summary by CodeRabbit

• Chores
  • Updated default development frontend URL from port 3001 to port 3000.
  • broadened and clarified environment configuration with many additional commented placeholders for services, integrations, and observability.
  • Replaced several default placeholder values (platform branding, support email, private key) with neutral/example placeholders.
  • Removed the separate sample environment template and consolidated configuration templates.

[coderabbitai]

Warning

Rate limit exceeded

@pranalidhanavade has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 45 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 3 minutes and 45 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 81aef58e-a822-488a-8b04-6af46fb3d329

📥 Commits

Reviewing files that changed from the base of the PR and between d85ff4b and 66f9530.

📒 Files selected for processing (1)

• .env.demo

📝 Walkthrough

Walkthrough

Expanded .env.demo with many new commented environment variable declarations and placeholders across platform, infra, security, and observability settings; changed FRONT_END_URL from http://localhost:3001 → http://localhost:3000. Removed .env.sample.

Changes

Cohort / File(s)	Summary
Expanded demo env \.env.demo	Replaced/expanded demo env with a large commented configuration surface: gateways/frontend/mobile URLs, PUBLIC_* API URLs, NATS/Redis, wallet DB, Supabase/Postgres placeholders, AWS/S3 shortener & deeplinking, CORS, per-service NKeys seeds, Keycloak/SSO/admin client placeholders, schema-file-server, geo/admin script paths, AFJ agent docker/config, OOB/proof/org limits, OTEL/SigNoz observability toggles and creds, upload sizing, and many new empty variables. Updated FRONT_END_URL to http://localhost:3000, cleared POWERED_BY, changed support email to support@example.com, and replaced CRYPTO_PRIVATE_KEY placeholder. Added trailing newline and extended comments.
Removed sample env \.env.sample	Deleted the .env.sample template containing previous example env vars (Supabase, gateway host/port, platform metadata, AWS/S3, DB/cache endpoints, SendGrid/Keycloak/OTel placeholders, Prisma debug, NATS/NKeys, and other example settings).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• fix: added variables in env sample and env demo files #1493 — Edits environment template files and adds ECS/networking-related variables overlapping with these changes.
• chore:update-env-demo #1521 — Adds/updates AWS/S3 environment variables and ARNs related to the AWS config entries added here.
• fix: added missing env variables in env demo and sample #1494 — Introduces ECS and deployment environment variables that conceptually overlap with placeholders added to .env.demo.

Suggested reviewers

• KambleSahil3

Poem

"🐇 I hopped through dotenv rows tonight,
Planted blanks and comments in soft moonlight,
Port tweaked, secrets tucked where rabbits hide,
Sample waved goodbye — I pranced with pride,
Config carrots gleam; hip-hop, code delight!"

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change—refactoring the .env.demo file with expanded configuration variables and updated defaults.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/env-demo-file

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.env.demo:
- Around line 106-107: The comments for the environment variables are incorrect
copy-paste and reference "x509 service" instead of describing OIDC4VC keys;
update the comment for OIDC4VC_ISSUANCE_NKEY_SEED and
OIDC4VC_VERIFICATION_NKEY_SEED to mention they are NKeys secrets for the OIDC4VC
issuance and verification services respectively (or similar wording matching the
variable names) so the comments accurately reflect OIDC4VC usage.
- Around line 63-66: Normalize empty env assignments by removing the stray space
after = so blank values use the form KEY= (no trailing space) instead of "KEY= #
comment"; update the lines for AWS_ACCESS_KEY, AWS_SECRET_KEY, AWS_REGION,
AWS_BUCKET and all other occurrences mentioned (lines groups 70-73, 77-80,
89-101, 103-107, 113, 116-117, 148, 251-252, 255-259) to use KEY= and if you
need explanatory text keep comments on their own lines above or after a proper
comment delimiter, ensuring the dotenv parser sees an empty assignment rather
than "space + `#comment`".
- Line 41: Replace any real-looking secrets in the demo env with explicit
placeholders or empty values; specifically change CRYPTO_PRIVATE_KEY and the
other sensitive keys mentioned (lines like the entries at 53, 172, 208) to
either blank values (e.g., CRYPTO_PRIVATE_KEY=) or clearly fake placeholders
(e.g., CRYPTO_PRIVATE_KEY=your-private-key-here) and update the inline comment
to state these must be set at runtime or via CI/devops rather than shipped in
the repo; locate and update the exact env variable names in the file (e.g.,
CRYPTO_PRIVATE_KEY) to avoid exposing usable credentials.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9dda2a5d-436e-4815-a609-9fbb91d90ba2

📥 Commits

Reviewing files that changed from the base of the PR and between 861d3d6 and f146ea1.

📒 Files selected for processing (2)

• .env.demo
• .env.sample

💤 Files with no reviewable changes (1)

• .env.sample

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.env.demo (2)

94-94: ⚠️ Potential issue | 🟠 Major

Remove secret-like demo defaults from committed env template.

These values look usable and should be blank placeholders in .env.demo to avoid accidental insecure deployments.

🔐 Proposed fix

-CRYPTO_PRIVATE_KEY=dzIvVU5uMa0R3sYwdjEEuT4id17mPpjr
+CRYPTO_PRIVATE_KEY=

-PLATFORM_WALLET_PASSWORD='U2FsdGVkX19l6w/PpuicnGBYThBHolzF27oN0JwfWkc='
+PLATFORM_WALLET_PASSWORD=

-AGENT_API_KEY='supersecret-that-too-16chars'
+AGENT_API_KEY=

Based on learnings: sensitive fields are intentionally kept empty and populated from environment/runtime, not hardcoded.

Also applies to: 123-123, 381-381

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.demo at line 94, The .env.demo currently contains a real-looking secret
value for CRYPTO_PRIVATE_KEY; replace that hardcoded value with an empty
placeholder (e.g. CRYPTO_PRIVATE_KEY=) or a clearly non-secret placeholder
string so no usable secret is committed. Update the CRYPTO_PRIVATE_KEY entry in
the .env.demo file (and any duplicate entries mentioned) to be blank or a
descriptive placeholder, and ensure README or comments instructs developers to
populate the real key from their environment instead.

---

240-243: ⚠️ Potential issue | 🟡 Minor

Fix OIDC4VC NKEY comments to match variable purpose.

Both comments still mention x509 service; these keys are for OIDC4VC issuance/verification and should be labeled accordingly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.demo around lines 240 - 243, The comments for
OIDC4VC_ISSUANCE_NKEY_SEED and OIDC4VC_VERIFICATION_NKEY_SEED incorrectly
reference the x509 service; update the comment text to clearly describe each
variable's purpose (e.g., "Please provide NKeys seed for OIDC4VC issuance
service" for OIDC4VC_ISSUANCE_NKEY_SEED and "Please provide NKeys seed for
OIDC4VC verification service" for OIDC4VC_VERIFICATION_NKEY_SEED), remove the
duplicate/incorrect x509 mention, and ensure the wording aligns with the
variable names so future readers know these seeds are for OIDC4VC issuance and
verification respectively.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.env.demo:
- Line 308: Normalize environment variable assignments by removing spaces around
the equals sign and trimming unintended leading/trailing spaces in values:
change ELK_LOG_PATH= "http://localhost:9200/" to
ELK_LOG_PATH="http://localhost:9200/" and change any occurrences like
PRISMA_LOGS = error to PRISMA_LOGS=error (apply the same normalization to the
other occurrence mentioned for PRISMA_LOGS).

---

Duplicate comments:
In @.env.demo:
- Line 94: The .env.demo currently contains a real-looking secret value for
CRYPTO_PRIVATE_KEY; replace that hardcoded value with an empty placeholder (e.g.
CRYPTO_PRIVATE_KEY=) or a clearly non-secret placeholder string so no usable
secret is committed. Update the CRYPTO_PRIVATE_KEY entry in the .env.demo file
(and any duplicate entries mentioned) to be blank or a descriptive placeholder,
and ensure README or comments instructs developers to populate the real key from
their environment instead.
- Around line 240-243: The comments for OIDC4VC_ISSUANCE_NKEY_SEED and
OIDC4VC_VERIFICATION_NKEY_SEED incorrectly reference the x509 service; update
the comment text to clearly describe each variable's purpose (e.g., "Please
provide NKeys seed for OIDC4VC issuance service" for OIDC4VC_ISSUANCE_NKEY_SEED
and "Please provide NKeys seed for OIDC4VC verification service" for
OIDC4VC_VERIFICATION_NKEY_SEED), remove the duplicate/incorrect x509 mention,
and ensure the wording aligns with the variable names so future readers know
these seeds are for OIDC4VC issuance and verification respectively.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 44c42ce2-8378-425e-ab10-2759766bd42d

📥 Commits

Reviewing files that changed from the base of the PR and between f146ea1 and b8b429a.

📒 Files selected for processing (1)

• .env.demo

[coderabbitai]

♻️ Duplicate comments (6)

.env.demo (6)

455-455: ⚠️ Potential issue | 🟡 Minor

Normalize env assignment syntax.

Remove spaces around the equals sign for consistent parsing across dotenv implementations.

🧹 Proposed fix

-PRISMA_LOGS = error
+PRISMA_LOGS=error

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.demo at line 455, Normalize the environment assignment by removing
surrounding spaces around the equals sign for the PRISMA_LOGS variable in the
.env.demo file (change "PRISMA_LOGS = error" to "PRISMA_LOGS=error") so dotenv
parsers consistently read the value; update any other env lines in the file that
use the spaced "KEY = value" form to "KEY=value" to keep syntax consistent.

---

308-308: ⚠️ Potential issue | 🟡 Minor

Normalize env assignment syntax.

The assignment has a space after = and unnecessary quotes. This can cause dotenv parser inconsistencies.

🧹 Proposed fix

-ELK_LOG_PATH= "http://localhost:9200/"
+ELK_LOG_PATH=http://localhost:9200/

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.demo at line 308, The ELK_LOG_PATH environment assignment uses a space
after '=' and surrounding quotes which can break dotenv parsing; update the
ELK_LOG_PATH entry (ELK_LOG_PATH) to use standard dotenv syntax by removing the
space after '=' and removing the surrounding quotes so the value is unquoted and
directly assigned.

---

94-94: ⚠️ Potential issue | 🔴 Critical

Replace placeholder with empty value to prevent insecure deployments.

The value YourSecretPrivateKeyHere could be mistaken for a valid key and deployed to production. The encryption function in libs/common/src/cast.helper.ts only validates that the key is non-empty but doesn't check for placeholder values. If an operator copies this file verbatim, client credentials would be encrypted with a known weak key.

🔐 Proposed fix

-# It should be same as studio UI
-CRYPTO_PRIVATE_KEY=YourSecretPrivateKeyHere
+# It should be same as studio UI - MUST be set via secret manager/runtime env
+CRYPTO_PRIVATE_KEY=

Based on learnings: sensitive fields are intentionally kept empty and populated from environment/runtime, not hardcoded.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.demo at line 94, Replace the placeholder value for CRYPTO_PRIVATE_KEY
with an empty value so it's not accidentally treated as a real secret; update
the .env template to use CRYPTO_PRIVATE_KEY= (empty) and ensure any validation
in libs/common/src/cast.helper.ts (the encryption/key-check logic) does not
treat the placeholder "YourSecretPrivateKeyHere" as valid by enforcing a
non-placeholder/explicitly non-empty check at runtime.

---

381-381: ⚠️ Potential issue | 🔴 Critical

Replace API key with empty value.

The value supersecret-that-too-16chars looks like a usable API key. Demo files should not contain functional credentials that could be accidentally deployed.

🔐 Proposed fix

-# API key for agent base wallet
-AGENT_API_KEY='supersecret-that-too-16chars'
+# API key for agent base wallet - set via secret manager
+AGENT_API_KEY=

Based on learnings: sensitive fields are intentionally kept empty and populated from environment/runtime, not hardcoded.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.demo at line 381, The .env demo contains a hardcoded credential value
for AGENT_API_KEY; remove the secret by setting AGENT_API_KEY to an empty string
(e.g., AGENT_API_KEY='') and add a comment indicating this should be provided at
runtime or via secure environment injection; ensure no other default API-like
values remain and update any README or docs to instruct consumers to populate
AGENT_API_KEY from their own environment/secret manager.

---

239-243: ⚠️ Potential issue | 🟡 Minor

Fix copy-paste comments for OIDC4VC variables.

Both OIDC4VC_ISSUANCE_NKEY_SEED and OIDC4VC_VERIFICATION_NKEY_SEED have comments referencing "x509 service" instead of OIDC4VC. This appears to be a copy-paste error from the X509_NKEY_SEED variable above.

📝 Proposed fix

-# Please provide Nkeys secret for x509 service
+# Please provide Nkeys secret for OIDC4VC issuance service
 OIDC4VC_ISSUANCE_NKEY_SEED=

-# Please provide Nkeys secret for x509 service
+# Please provide Nkeys secret for OIDC4VC verification service
 OIDC4VC_VERIFICATION_NKEY_SEED=

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.demo around lines 239 - 243, The comment above the environment
variables OIDC4VC_ISSUANCE_NKEY_SEED and OIDC4VC_VERIFICATION_NKEY_SEED wrongly
references "x509 service"; update both comment lines to correctly reference
OIDC4VC (e.g., "Please provide Nkeys secret for OIDC4VC issuance" and "Please
provide Nkeys secret for OIDC4VC verification" or a single shared correct
description) so the comments match the variables OIDC4VC_ISSUANCE_NKEY_SEED and
OIDC4VC_VERIFICATION_NKEY_SEED.

---

123-123: ⚠️ Potential issue | 🔴 Critical

Replace encrypted password with empty value.

This appears to be a real encrypted password (crypto-js output format). Demo/sample files should not contain usable credentials. Leave this empty to force operators to set it via secure configuration.

🔐 Proposed fix

-# Please provide encrypt password using crypto-js
-PLATFORM_WALLET_PASSWORD='U2FsdGVkX19l6w/PpuicnGBYThBHolzF27oN0JwfWkc='
+# Please provide encrypt password using crypto-js - set via secret manager
+PLATFORM_WALLET_PASSWORD=

Based on learnings: sensitive fields are intentionally kept empty and populated from environment/runtime, not hardcoded.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.demo at line 123, Replace the hardcoded encrypted value for
PLATFORM_WALLET_PASSWORD with an empty value in the .env.demo file so no usable
credentials are shipped; specifically remove the string
'U2FsdGVkX19l6w/PpuicnGBYThBHolzF27oN0JwfWkc=' and set PLATFORM_WALLET_PASSWORD=
(empty) to force operators to provide the secret at runtime or via secure
configuration.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.env.demo:
- Line 455: Normalize the environment assignment by removing surrounding spaces
around the equals sign for the PRISMA_LOGS variable in the .env.demo file
(change "PRISMA_LOGS = error" to "PRISMA_LOGS=error") so dotenv parsers
consistently read the value; update any other env lines in the file that use the
spaced "KEY = value" form to "KEY=value" to keep syntax consistent.
- Line 308: The ELK_LOG_PATH environment assignment uses a space after '=' and
surrounding quotes which can break dotenv parsing; update the ELK_LOG_PATH entry
(ELK_LOG_PATH) to use standard dotenv syntax by removing the space after '=' and
removing the surrounding quotes so the value is unquoted and directly assigned.
- Line 94: Replace the placeholder value for CRYPTO_PRIVATE_KEY with an empty
value so it's not accidentally treated as a real secret; update the .env
template to use CRYPTO_PRIVATE_KEY= (empty) and ensure any validation in
libs/common/src/cast.helper.ts (the encryption/key-check logic) does not treat
the placeholder "YourSecretPrivateKeyHere" as valid by enforcing a
non-placeholder/explicitly non-empty check at runtime.
- Line 381: The .env demo contains a hardcoded credential value for
AGENT_API_KEY; remove the secret by setting AGENT_API_KEY to an empty string
(e.g., AGENT_API_KEY='') and add a comment indicating this should be provided at
runtime or via secure environment injection; ensure no other default API-like
values remain and update any README or docs to instruct consumers to populate
AGENT_API_KEY from their own environment/secret manager.
- Around line 239-243: The comment above the environment variables
OIDC4VC_ISSUANCE_NKEY_SEED and OIDC4VC_VERIFICATION_NKEY_SEED wrongly references
"x509 service"; update both comment lines to correctly reference OIDC4VC (e.g.,
"Please provide Nkeys secret for OIDC4VC issuance" and "Please provide Nkeys
secret for OIDC4VC verification" or a single shared correct description) so the
comments match the variables OIDC4VC_ISSUANCE_NKEY_SEED and
OIDC4VC_VERIFICATION_NKEY_SEED.
- Line 123: Replace the hardcoded encrypted value for PLATFORM_WALLET_PASSWORD
with an empty value in the .env.demo file so no usable credentials are shipped;
specifically remove the string 'U2FsdGVkX19l6w/PpuicnGBYThBHolzF27oN0JwfWkc='
and set PLATFORM_WALLET_PASSWORD= (empty) to force operators to provide the
secret at runtime or via secure configuration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4bafe5c7-632f-4de3-a893-e3ae547c2f30

📥 Commits

Reviewing files that changed from the base of the PR and between b8b429a and d85ff4b.

📒 Files selected for processing (1)

• .env.demo

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud