fix(server): drop CODEGEN_SERVICE_URL and source SENTRY_DSN from env file

[Nikhil (shadowfax92)]

Summary

• The release-server workflow's build:server step was failing CI — validateProductionEnv() requires CODEGEN_SERVICE_URL and SENTRY_DSN, but neither is configured as a CI secret, so they resolved to empty strings and the build aborted (Production build requires variables: CODEGEN_SERVICE_URL, SENTRY_DSN).
• Removes CODEGEN_SERVICE_URL end to end — it was inlined into server config and threaded into HttpServerConfig, but never actually read; the EXTERNAL_URLS.CODEGEN_SERVICE constant also had zero consumers (dead code).
• Sources SENTRY_DSN from the committed env template instead of an (unconfigured) CI secret.

Design

A Sentry DSN is a public client identifier — it's already inlined into every shipped binary, exactly like BROWSEROS_CONFIG_URL, which ships its real value in .env.production.example. So the DSN now lives in that template, which CI copies to .env.production before building. The subtle part: buildInlineEnv resolves values as process.env[key] ?? fileEnv[key], and '' ?? x === '', so an empty SENTRY_DSN injected by the workflow env: block would shadow the file value. The fix therefore also drops the now-empty SENTRY_DSN and CODEGEN_SERVICE_URL lines from the workflow so the file value actually takes effect. POSTHOG_API_KEY is untouched — its secret is configured and still flows from the workflow env.

Test plan

• bun run typecheck — all packages pass
• bunx biome check on changed files — clean (exit 0)
• bun test apps/server/tests/build.test.ts — 2 pass (real compile + --version, plus --ci archive build)
• go build ./... in tools/dogfood — passes
• Reproduced the original failure against the real loadBuildConfig before the change; confirmed the fixed scenario (SENTRY from file, no CODEGEN anywhere) loads cleanly after.

[Nikhil (shadowfax92)]

Greptile (@greptileai) review

[Nikhil (shadowfax92)]

Claude (@claude) review

[claude]

Claude finished Nikhil (@shadowfax92)'s task in 2m 47s —— View job

---

Code Review

• Gather context: read diff and changed files
• Review CI workflow changes
• Review env/config changes
• Review code cleanup (dead code removal)
• Check for security considerations
• Post final review

---

Summary

This is a clean, well-reasoned fix. The root cause analysis and the '' ?? x behavior insight are correct, the dead code removal is complete end-to-end, and the test coverage is sound. A few minor observations below.

---

Correctness

CODEGEN_SERVICE_URL is truly dead. A grep across all .ts, .go, and .md files finds zero remaining references to CODEGEN_SERVICE_URL or EXTERNAL_URLS.CODEGEN_SERVICE. The removal spans all layers cleanly: env validation, schema, config merge, HTTP server interface, build scripts, Go dogfood tool, and docs.

The '' ?? fileEnv[key] shadow bug is real and correctly fixed. In scripts/build/server/config.ts:28:

const value = process.env[name] ?? fileEnv[name]

When the workflow sets SENTRY_DSN: ${{ secrets.SENTRY_DSN || vars.SENTRY_DSN }} with no secret configured, that resolves to '' in the process env. Since '' !== null && '' !== undefined, the nullish coalescing operator doesn't fall through to the file value. Removing the var from the workflow env block is exactly the right fix.

The build path is correct. The workflow calls bun run build:server (not build:server:ci), which does not pass --ci and therefore runs validateProductionEnv(). After this fix: process.env.SENTRY_DSN is undefined in CI → undefined ?? fileEnv['SENTRY_DSN'] falls through to the committed DSN → validation passes.

---

Observations

1. SENTRY_DSN committed publicly.
The DSN https://08d37194d0cfaed69687c3803216daa4@... is now in a public file in the repo. The PR's rationale (it's already baked into every shipped binary, comparable to BROWSEROS_CONFIG_URL) is sound. One practical note: a public DSN can receive arbitrary inbound events. Sentry's built-in rate limiting handles this, but it's worth ensuring the project's Sentry inbound rate limits and allowed origins are configured if you want to guard against quota exhaustion from spoofed events.

2. Dogfood DefaultProductionEnv() still has SENTRY_DSN: "".
tools/dogfood/config/config.go:201 still initializes SENTRY_DSN as empty. Dogfood builds cut from this tool will have a blank DSN and Sentry will be effectively disabled. That's probably the intended behavior for a local dev tool, but worth a comment if that expectation needs to be explicit.

3. README SENTRY_DSN default column.
packages/browseros-agent/README.md still shows | - | (no default) for SENTRY_DSN in the production env table, even though it now has a committed default in the template. Minor docs drift — not a blocker.

4. POSTHOG_API_KEY is empty in the template.
Left blank in .env.production.example, still flows from the CI secret. Intentional asymmetry with SENTRY_DSN and BROWSEROS_CONFIG_URL. This is consistent with treating PostHog keys as genuinely secret, but it means a developer trying to do a local production build will hit a validation error for POSTHOG_API_KEY. Might be worth a comment in the template clarifying that this must come from the environment.

---

Verdict

LGTM with minor suggestions. The core fix is correct and complete. Items 1–4 above are observations and minor polish, not blockers. The test plan covers the critical paths.

[github-actions]

✅ Tests passed — 1059/1064

Suite	Passed	Failed	Skipped
✅ agent	91/91	0	0
✅ build	10/10	0	0
✅ eval	95/95	0	0
✅ server-agent	246/246	0	0
✅ server-api	64/64	0	0
✅ server-browser	4/4	0	0
✅ server-integration	9/10	0	1
✅ server-lib	252/253	0	1
✅ server-root	59/62	0	3
✅ server-tools	229/229	0	0

View workflow run

[greptile-apps]

Greptile Summary

This PR fixes a failing CI build by removing the dead CODEGEN_SERVICE_URL variable end-to-end and by sourcing SENTRY_DSN from the committed .env.production.example template instead of an unconfigured CI secret. The workflow's empty env: entries for both variables are also dropped so they no longer shadow file-based values through buildInlineEnv's ?? resolution.

• Dead code removal: CODEGEN_SERVICE_URL is excised from env.ts, config.ts, types.ts, the build script, the shared EXTERNAL_URLS constant, the workflow, the Go dogfood config, and both env example files — complete end-to-end removal.
• SENTRY_DSN sourcing: The public DSN is now committed in .env.production.example; CI copies this to .env.production before the build, and the empty workflow env: entry is removed so the file value is not shadowed by an empty string.
• Dogfood gap: DefaultProductionEnv() in tools/dogfood/config/config.go still returns SENTRY_DSN: "", meaning dogfood-driven production builds will fail validateProductionEnv until the user manually overrides the value — inconsistent with the DSN now being a committed public constant.

Confidence Score: 4/5

Safe to merge for CI builds; dogfood production builds will regress until the Go default is patched.

The CI workflow fix is correct and the dead-code removal is thorough. The one gap is DefaultProductionEnv() in the Go dogfood tool, which still hard-codes SENTRY_DSN as empty. Because the DSN is now a public constant stored only in .env.production.example, any dogfood user who triggers a production build will hit validateProductionEnv failing on an empty SENTRY_DSN — a regression introduced by this PR that requires a manual workaround until the default is updated.

packages/browseros-agent/tools/dogfood/config/config.go — DefaultProductionEnv still returns an empty SENTRY_DSN.

Important Files Changed

Filename	Overview
.github/workflows/release-server.yml	Removes empty CODEGEN_SERVICE_URL and SENTRY_DSN env entries from the workflow so the .env.production file values are not shadowed by empty strings.
packages/browseros-agent/apps/server/src/env.ts	Drops CODEGEN_SERVICE_URL from the inlined env map and from the REQUIRED_FOR_PRODUCTION list; clean removal with no residual references.
packages/browseros-agent/apps/server/.env.production.example	Adds the real (public) Sentry DSN and removes CODEGEN_SERVICE_URL; dogfood DefaultProductionEnv still returns SENTRY_DSN="" so dogfood production builds will not automatically pick up this value.
packages/browseros-agent/scripts/build/server/config.ts	Removes CODEGEN_SERVICE_URL from REQUIRED_PROD_VARS; the ?? shadowing behaviour with empty strings is pre-existing and well-documented in the PR.
packages/browseros-agent/tools/dogfood/config/config.go	Removes CODEGEN_SERVICE_URL from DefaultProductionEnv but leaves SENTRY_DSN="" — inconsistent with .env.production.example which now holds the public DSN, causing dogfood production builds to fail validation unless users manually set it.
packages/browseros-agent/packages/shared/src/constants/urls.ts	Removes dead EXTERNAL_URLS.CODEGEN_SERVICE constant; aligns with the custom rule to eliminate unused code.
packages/browseros-agent/apps/server/src/config.ts	Drops codegenServiceUrl from ServerConfigSchema and its injection step; comment numbering corrected.
packages/browseros-agent/apps/server/src/api/types.ts	Removes codegenServiceUrl from HttpServerConfig interface; straightforward dead-field removal.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["CI: release-server workflow"] -->|copies| B[".env.production.example → .env.production"]
    A -->|no longer injects| C["SENTRY_DSN and CODEGEN_SERVICE_URL removed from env block"]
    B -->|fileEnv| D["buildInlineEnv: process.env key ?? fileEnv key"]
    E["process.env: POSTHOG_API_KEY from CI secret"] --> D
    D -->|inlined at build time| F["Server Binary: SENTRY_DSN, POSTHOG_API_KEY, BROWSEROS_CONFIG_URL"]
    G["Dogfood tool"] -->|generates env with SENTRY_DSN empty| H["buildInlineEnv receives empty string"]
    H -->|empty string passes ?? check| I["validateProductionEnv FAILS: SENTRY_DSN required"]
    style I fill:#ffcccc,stroke:#cc0000
    style F fill:#ccffcc,stroke:#007700

Loading

Comments Outside Diff (1)

1. packages/browseros-agent/tools/dogfood/config/config.go, line 198-203 (link)

   The Sentry DSN is now a committed public constant in .env.production.example, but DefaultProductionEnv() still initialises SENTRY_DSN to "". When a dogfood user runs a production build, dogfood generates the build's environment from this map. Because buildInlineEnv resolves values as process.env[key] ?? fileEnv[key], an empty string from the dogfood-generated file takes precedence over undefined, resulting in "" reaching validateProductionEnv, which then throws "Production build requires variables: SENTRY_DSN". Since the DSN is already public, seeding it in the defaults is safe and keeps dogfood builds working without requiring users to manually configure a value they shouldn't need to know.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: packages/browseros-agent/tools/dogfood/config/config.go
   Line: 198-203
   
   Comment:
   The Sentry DSN is now a committed public constant in `.env.production.example`, but `DefaultProductionEnv()` still initialises `SENTRY_DSN` to `""`. When a dogfood user runs a production build, dogfood generates the build's environment from this map. Because `buildInlineEnv` resolves values as `process.env[key] ?? fileEnv[key]`, an empty string from the dogfood-generated file takes precedence over `undefined`, resulting in `""` reaching `validateProductionEnv`, which then throws `"Production build requires variables: SENTRY_DSN"`. Since the DSN is already public, seeding it in the defaults is safe and keeps dogfood builds working without requiring users to manually configure a value they shouldn't need to know.
   
   
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
packages/browseros-agent/README.md:122
The `SENTRY_DSN` row in the table still shows `-` for its default, but the variable now has a concrete value committed in `.env.production.example`. Updating this keeps the docs consistent with the new sourcing strategy.

```suggestion
| `SENTRY_DSN` | (see `.env.production.example`) | Sentry DSN baked into prod binary |
```

### Issue 2 of 2
packages/browseros-agent/tools/dogfood/config/config.go:198-203
The Sentry DSN is now a committed public constant in `.env.production.example`, but `DefaultProductionEnv()` still initialises `SENTRY_DSN` to `""`. When a dogfood user runs a production build, dogfood generates the build's environment from this map. Because `buildInlineEnv` resolves values as `process.env[key] ?? fileEnv[key]`, an empty string from the dogfood-generated file takes precedence over `undefined`, resulting in `""` reaching `validateProductionEnv`, which then throws `"Production build requires variables: SENTRY_DSN"`. Since the DSN is already public, seeding it in the defaults is safe and keeps dogfood builds working without requiring users to manually configure a value they shouldn't need to know.

```suggestion
func DefaultProductionEnv() ProductionEnv {
	return ProductionEnv{
		Server: map[string]string{
			"BROWSEROS_CONFIG_URL": "https://llm.browseros.com/api/browseros-server/config",
			"POSTHOG_API_KEY":      "",
			"SENTRY_DSN":           "https://08d37194d0cfaed69687c3803216daa4@o4510545525932032.ingest.us.sentry.io/4510545527111680",
```

_{Reviews (1): Last reviewed commit: "fix(server): drop CODEGEN_SERVICE_URL, s..." | Re-trigger Greptile}

[greptile-apps]

Greptile Summary

This PR fixes a broken release-server CI workflow by removing the unused CODEGEN_SERVICE_URL variable end-to-end and moving SENTRY_DSN from an unconfigured CI secret into the committed .env.production.example template. The PR description accurately explains the subtle '' ?? x === '' shadowing issue that required also dropping the empty SENTRY_DSN and CODEGEN_SERVICE_URL env lines from the workflow step.

• Dead code removal: CODEGEN_SERVICE_URL is removed from INLINED_ENV, ServerConfigSchema, HttpServerConfig, EXTERNAL_URLS, the build script's required vars, the dogfood defaults, and all env template files — a thorough, consistent cleanup across all layers.
• Sentry DSN sourcing: The DSN is now committed in .env.production.example (consistent with how BROWSEROS_CONFIG_URL already ships its real value), and the CI workflow step now copies that file before building so the value is picked up from fileEnv rather than an unconfigured secret.
• Test alignment: build.test.ts, REQUIRED_INLINE_ENV_KEYS, and INLINE_ENV_STUBS are all updated to match the new three-variable set.

Confidence Score: 4/5

Safe to merge — the CI fix is correct and the dead-code removal is thorough across all layers.

The core logic change (removing the empty workflow env lines so the file value isn't shadowed by empty-string injection) is sound and well-explained. Dead-code removal of CODEGEN_SERVICE_URL is consistent across TS, Go, env files, and the workflow. The only gaps are documentation: the README default column is now stale for SENTRY_DSN, and the dogfood DefaultProductionEnv still defaults SENTRY_DSN to an empty string even though the value is now publicly committed — meaning new dogfood users attempting a local production build would still hit a validation error without knowing where to find the DSN.

packages/browseros-agent/tools/dogfood/config/config.go and packages/browseros-agent/README.md — both have minor documentation gaps created by the new committed DSN value.

Important Files Changed

Filename	Overview
.github/workflows/release-server.yml	Drops CODEGEN_SERVICE_URL and SENTRY_DSN from the env block so empty-string injection no longer shadows the file value sourced from .env.production.example; POSTHOG_API_KEY stays because its secret is configured.
packages/browseros-agent/apps/server/src/env.ts	Removes CODEGEN_SERVICE_URL from INLINED_ENV and REQUIRED_FOR_PRODUCTION; the remaining three variables are all now correctly sourced in CI.
packages/browseros-agent/scripts/build/server/config.ts	CODEGEN_SERVICE_URL removed from REQUIRED_PROD_VARS; buildInlineEnv and validateProductionEnv now consistently enforce the trimmed three-variable set.
packages/browseros-agent/apps/server/.env.production.example	Commits the real Sentry DSN into the template; removes the empty CODEGEN_SERVICE_URL line. The DSN is a public client token and intentionally ships in the binary, but the README Default column for SENTRY_DSN still shows - rather than the now-committed value.
packages/browseros-agent/apps/server/tests/build.test.ts	REQUIRED_INLINE_ENV_KEYS and INLINE_ENV_STUBS correctly trimmed to the new three-variable set; both test cases (full build + CI archive) remain valid after the change.
packages/browseros-agent/tools/dogfood/config/config.go	Removes CODEGEN_SERVICE_URL from DefaultProductionEnv. SENTRY_DSN is still defaulted to empty string — dogfood users running a local production build still need to supply it manually in their YAML config, even though the value is now publicly committed.
packages/browseros-agent/packages/shared/src/constants/urls.ts	EXTERNAL_URLS.CODEGEN_SERVICE constant removed; had no consumers, clean dead-code elimination.
packages/browseros-agent/apps/server/src/config.ts	codegenServiceUrl removed from ServerConfigSchema and the merge step that populated it; step numbering in comments updated accordingly.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[CI: release-server workflow] --> B[cp .env.production.example\n→ .env.production]
    B --> C[Build step\nenv: BROWSEROS_CONFIG_URL, POSTHOG_API_KEY]
    C --> D[loadBuildConfig]
    D --> E[loadProdEnv\nreads .env.production file]
    D --> F[buildInlineEnv]
    E --> F
    F --> G{"process.env[key]\n?? fileEnv[key]"}
    G -->|SENTRY_DSN: undefined in process.env| H[fileEnv value\nhttps://08d37...]
    G -->|POSTHOG_API_KEY: set from secret| I[secret value]
    G -->|BROWSEROS_CONFIG_URL: set from workflow| J[workflow var value]
    H --> K[validateProductionEnv ✓]
    I --> K
    J --> K
    K --> L[bun build --env inline\nvalues baked into binary]

Loading

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
packages/browseros-agent/README.md:122
The `SENTRY_DSN` default column now shows `-` but the value is pre-populated in `.env.production.example`. Updating the table keeps the docs in sync with the template and signals to users they don't need to supply their own DSN.

```suggestion
| `SENTRY_DSN` | (set in `.env.production.example`) | Sentry DSN baked into prod binary |
```

### Issue 2 of 2
packages/browseros-agent/tools/dogfood/config/config.go:199-203
Since `SENTRY_DSN` is now a public value committed in `.env.production.example`, dogfood's `DefaultProductionEnv` could carry it too. Without this, new dogfood users who attempt a local production build will hit a `validateProductionEnv` failure on `SENTRY_DSN` unless they manually add it to their config YAML.

```suggestion
	return ProductionEnv{
		Server: map[string]string{
			"BROWSEROS_CONFIG_URL": "https://llm.browseros.com/api/browseros-server/config",
			"POSTHOG_API_KEY":      "",
			"SENTRY_DSN":           "https://08d37194d0cfaed69687c3803216daa4@o4510545525932032.ingest.us.sentry.io/4510545527111680",
```

_{Reviews (2): Last reviewed commit: "fix(server): drop CODEGEN_SERVICE_URL, s..." | Re-trigger Greptile}

[Nikhil (shadowfax92)]

Thanks Greptile (@greptileai) and Claude (@claude) — addressed below.

✅ dogfood DefaultProductionEnv → SENTRY_DSN (Greptile P1) — done in 7244a05f

Seeded the public DSN so dogfood's server prod-env map stays aligned with .env.production.example.

One correction on the framing, though: this isn't a regression introduced by the PR. SENTRY_DSN: "" predates it — the PR only removed the CODEGEN_SERVICE_URL line. And dogfood's pipeline (tools/dogfood/pipeline/build.go) builds the agent in development mode; it never invokes the validating build:server, so validateProductionEnv is never reached from dogfood. I still made the change because it's the right consistency call: SENTRY_DSN is a non-secret client identifier (the whole thesis of this PR), so it belongs with the other hardcoded non-secret default (BROWSEROS_CONFIG_URL). POSTHOG_API_KEY and R2_* stay empty — those are genuine secrets supplied via user config.

❌ README SENTRY_DSN "Default" column — declining

The "Default" column lists the code-level fallback, not the template value — only R2_UPLOAD_PREFIX has one ('server/prod-resources' in config.ts). BROWSEROS_CONFIG_URL also ships a committed value in .env.production.example yet correctly shows -, because there's no code default; the value is sourced from env at build time. SENTRY_DSN is in the identical situation, so - is consistent — pointing only its row at the template would make the table asymmetric.

ℹ️ Claude (@claude) observations

• Public DSN rate-limiting / allowed origins — good call; that's a Sentry-project config concern (inbound limits), no code change here.
• POSTHOG_API_KEY empty in the template — intentional. It's a genuine secret and flows from the CI secret, so a local production build does require it in the environment.

Verification for the dogfood change: go build ./... and go test ./config/... pass.

[claude]

Claude finished Nikhil (@shadowfax92)'s task in 44s —— View job

---

Claude finished Nikhil (@shadowfax92)'s task —— View job

---

Acknowledged

• Verify dogfood fix in 7244a05
• Validate README reasoning
• Post acknowledgment

---

Dogfood SENTRY_DSN fix — confirmed ✅

DefaultProductionEnv() in config.go now correctly carries the public DSN alongside BROWSEROS_CONFIG_URL. Verified on the branch. The consistency argument is right: both are non-secret client identifiers hardcoded at build time, so they belong together in the defaults map.

The correction on the regression framing is also fair — dogfood's pipeline builds in dev mode and never reaches validateProductionEnv, so there was no actual breakage. The change is still the right call for internal consistency.

README Default column — decline accepted ✅

The reasoning holds: the Default column tracks code-level fallbacks only. BROWSEROS_CONFIG_URL is in the same position (committed value in the template, - in the table) and that's the correct precedent. Updating only SENTRY_DSN's row would make the table asymmetric without a principled distinction. Greptile and I were applying the wrong frame.

Observations acknowledged

Both non-blocking items noted — Sentry inbound rate limits are a Sentry-project config concern, and the intentional asymmetry on POSTHOG_API_KEY (genuine secret vs. public DSN) is clear.

LGTM — all review items resolved.

View job

[greptile-apps]

Fair corrections on both counts — thanks for the clear reasoning.

On the regression framing: you're right, I misstated that. SENTRY_DSN: "" predating the PR means it's not something this PR introduced, and dogfood's pipeline never touching validateProductionEnv removes any practical concern anyway. The change in 7244a05f is still the right consistency call for the reason you stated.

On the README "Default" column: the distinction between code-level fallbacks vs. template-sourced values is sound, and keeping BROWSEROS_CONFIG_URL and SENTRY_DSN consistent at - is correct given they're in the same situation.

LGTM — the approach is well-reasoned and the test plan covers the key scenarios.

[Nikhil (shadowfax92)]

Correction on the dogfood item: reverted in 324490d5 — declining after all.

No env value should be hardcoded into the Go source here. As noted above, dogfood never runs the validating build:server (it builds the agent in dev mode), so DefaultProductionEnv doesn't need the DSN. Keeping SENTRY_DSN: "" alongside the other empty placeholders (POSTHOG_API_KEY, R2_*) is correct — values are supplied via user config, not baked into source.

Net: both Greptile suggestions declined; the core CI fix (commit 863521e2) is unchanged.