Unify local env loading

[giaphutran12]

Summary

• make root .env.example the canonical local env template and remove child env templates
• load repo-root .env for backend/frontend package scripts, Docker services, and Convex make targets
• fix small TypeScript/lint blockers exposed by the build gate so PR0 is actually buildable

Important after pulling main

• BigSet now has exactly one local env source of truth: repo-root .env.
• Do not keep frontend/.env.local, frontend/.env, backend/.env, or any other nested env file in the repo.
• This matters because Next.js auto-loads frontend/.env.local and can override the root-env flow, which makes Convex commands look like the root CONVEX_SELF_HOSTED_ADMIN_KEY is missing or wrong.
• If you had older env files before this PR, move the values into repo-root .env, then move/delete the nested env files outside the repo.
• Convex admin key should live in repo-root .env as CONVEX_SELF_HOSTED_ADMIN_KEY.

Verification

• npm run build in backend
• npm run build in frontend
• npm run lint -- --quiet in frontend
• git diff --check
• make validate-dev-env fails fast when root .env is missing
• local production landing page renders via headless browser QA

No real env files were inspected or committed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fcb2c283-1570-4b61-8c2a-a0e51da46345

📥 Commits

Reviewing files that changed from the base of the PR and between b5bdda9 and 5605f9c.

📒 Files selected for processing (1)

• docker-compose.dev.yml

---

📝 Walkthrough

Walkthrough

This PR consolidates environment configuration to a single root .env file serving all services. It introduces a new scripts/with-root-env.mjs wrapper script that loads environment variables and executes commands, integrating it into backend, frontend, and Docker Compose. Backend now explicitly loads the root .env and supports a fallback for the Clerk publishable key. Service-specific .env.example files are removed. Makefile gains validation and seeding targets. Backend auth enforcement is hardened with explicit req.auth checks on /populate and /update routes. UI components are refactored: ThemeToggle uses useSyncExternalStore, table components replace ref-based height measurement with numeric props, and PostHog logging configuration is updated. Documentation across CLAUDE.md, README.md, and service-specific READMEs reflects the new centralized setup.

Possibly related PRs

• tinyfish-io/bigset#26: Changes to the populate endpoint/workflow that relate to this PR’s /populate auth guard and authContext.authorizedUserId usage.
• tinyfish-io/bigset#15: Convex client/admin-auth wiring changes related to the typed setAdminAuth approach in this PR.
• tinyfish-io/bigset#9: Prior Clerk+Convex migration work that overlaps with this PR’s env and Convex integration changes.

Suggested reviewers

• simantak-dabhade
• manav-tf

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Unify local env loading' accurately captures the main objective of the changeset: consolidating environment configuration to load from a single root .env file across backend, frontend, and Docker services.
Description check	✅ Passed	The description is directly related to the changeset, clearly explaining the three main goals: unifying env templates, loading root .env across services, and fixing build blockers.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/root-env-unification-pr0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

frontend/README.md (1)

8-10: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Running command contradicts the root-env script note.

The docs say package scripts load root .env, but bun dev --port 3500 bypasses package scripts. Recommend documenting bun run dev (or npm run dev) here to match the env-loading behavior.

Also applies to: 12-14

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/README.md` around lines 8 - 10, The README currently instructs
readers to run "bun dev --port 3500", which bypasses package scripts and
contradicts the note that package scripts load the root .env; update the
instructions to recommend using the package script invocation (e.g., "bun run
dev" or "npm run dev") instead of direct "bun dev --port 3500" so the root .env
is loaded; update the two occurrences (lines showing "bun dev --port 3500") and
add a short parenthetical note that running via the package script ensures the
root .env is sourced.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker-compose.dev.yml`:
- Around line 74-75: The frontend service currently injects the full root .env
via the env_file: .env entry which exposes server-only secrets; edit the
docker-compose service named frontend to remove the env_file: .env line and
replace it with an explicit environment: block listing only the public frontend
variables required at runtime (e.g., NEXT_PUBLIC_API_URL,
NEXT_PUBLIC_ANALYTICS_KEY or other NEXT_PUBLIC_* keys used by the Next.js app),
ensuring no SERVER_ or secret keys are included; locate the frontend service
block in the compose diff and make this substitution so only scoped public env
vars are passed into the container.

In `@makefiles/Makefile`:
- Line 26: The Makefile recipe uses non-POSIX conditional syntax ([[ ... ]])
(e.g., the test involving $$value and $$placeholder in the recipe and similar
checks at lines referencing the same pattern), which breaks under /bin/sh;
either change those checks to POSIX test syntax ([ ... ] with proper quoting and
||/&& adjustments) across all occurrences (the checks at the shown diff and the
similar ones at the other noted locations) or pin the Makefile shell by adding a
top-level SHELL := /bin/bash so targets like dev and convex-* run under bash;
update all occurrences of [[ ... ]] accordingly and ensure quoting of $$value
and $$placeholder remains correct.

---

Outside diff comments:
In `@frontend/README.md`:
- Around line 8-10: The README currently instructs readers to run "bun dev
--port 3500", which bypasses package scripts and contradicts the note that
package scripts load the root .env; update the instructions to recommend using
the package script invocation (e.g., "bun run dev" or "npm run dev") instead of
direct "bun dev --port 3500" so the root .env is loaded; update the two
occurrences (lines showing "bun dev --port 3500") and add a short parenthetical
note that running via the package script ensures the root .env is sourced.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 008baf79-430c-4e0b-9cd5-85a535d25cc2

📥 Commits

Reviewing files that changed from the base of the PR and between abc6e6a and b5bdda9.

📒 Files selected for processing (24)

• .env.example
• .gitignore
• CLAUDE.md
• README.md
• backend/.env.example
• backend/README.md
• backend/package.json
• backend/src/convex.ts
• backend/src/env.ts
• backend/src/index.ts
• backend/src/mastra/tools/investigate-tool.ts
• backend/src/pipeline/schema-inference.ts
• docker-compose.dev.yml
• frontend/.env.example
• frontend/.gitignore
• frontend/README.md
• frontend/components/ThemeToggle.tsx
• frontend/components/table/ColumnHeader.tsx
• frontend/components/table/DatasetTable.tsx
• frontend/components/table/TableHeader.tsx
• frontend/lib/analytics.ts
• frontend/package.json
• makefiles/Makefile
• scripts/with-root-env.mjs

💤 Files with no reviewable changes (2)

• backend/.env.example
• frontend/.env.example

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove full root .env injection from the frontend service.

Line 74 introduces env_file: .env for frontend, which makes server-only keys available inside the frontend container runtime. Keep frontend env scoped to explicit required vars to preserve least privilege.

Suggested fix

   frontend:
     build:
       context: ./frontend
       dockerfile: Dockerfile.dev
-    env_file:
-      - .env
     ports:
       - "3500:3500"

As per coding guidelines, frontend/**: "Frontend uses Next.js 16, React 19, Tailwind 4 for pure UI — no server-side auth logic".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	env_file:
	- .env

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker-compose.dev.yml` around lines 74 - 75, The frontend service currently
injects the full root .env via the env_file: .env entry which exposes
server-only secrets; edit the docker-compose service named frontend to remove
the env_file: .env line and replace it with an explicit environment: block
listing only the public frontend variables required at runtime (e.g.,
NEXT_PUBLIC_API_URL, NEXT_PUBLIC_ANALYTICS_KEY or other NEXT_PUBLIC_* keys used
by the Next.js app), ensuring no SERVER_ or secret keys are included; locate the
frontend service block in the compose diff and make this substitution so only
scoped public env vars are passed into the container.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use POSIX test syntax or pin Make shell to bash.

These recipes use [[ ... ]], which breaks when make runs under /bin/sh (common on Debian/Ubuntu). make dev/convex-* can fail before startup.

Suggested fix

+SHELL := /bin/bash
+
 .PHONY: all dev validate-dev-env down clean convex-push convex-env seed-public-datasets

Or replace [[ ... ]] with POSIX [ ... ] in all recipe checks.

Also applies to: 40-40, 44-44, 58-58

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@makefiles/Makefile` at line 26, The Makefile recipe uses non-POSIX
conditional syntax ([[ ... ]]) (e.g., the test involving $$value and
$$placeholder in the recipe and similar checks at lines referencing the same
pattern), which breaks under /bin/sh; either change those checks to POSIX test
syntax ([ ... ] with proper quoting and ||/&& adjustments) across all
occurrences (the checks at the shown diff and the similar ones at the other
noted locations) or pin the Makefile shell by adding a top-level SHELL :=
/bin/bash so targets like dev and convex-* run under bash; update all
occurrences of [[ ... ]] accordingly and ensure quoting of $$value and
$$placeholder remains correct.

[Jaredee123]

LGTM

[simantak-dabhade]

LGTM