Unify .env generation between quickstart CLI and contributor flows#2212
Unify .env generation between quickstart CLI and contributor flows#2212miles-kt-inkeep merged 13 commits intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: 15d0c77 The changes in this PR will be included in the next version bump. This PR includes changesets to release 9 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
CI/CD Failure InvestigationAll 3 CI failures are pre-existing on main — not caused by this PR's changes. Evidence
Why these can't be caused by this PRThis PR only touches:
None of these files affect database migrations, Doltgres schema, Cypress E2E tests, or the agents-docs Vercel deployment. |
There was a problem hiding this comment.
PR Review Summary
(2) Total Issues | Risk: Low
🟠⚠️ Major (1) 🟠⚠️
Inline Comments:
- 🟠 Major:
utils.ts:518Missing error handling for.env.exampleread — users get cryptic ENOENT on corrupted template
🟡 Minor (1) 🟡
Inline Comments:
- 🟡 Minor:
setup.ts:372Success message potentially misleading after JWT generation failure
💭 Consider (4) 💭
💭 1) create-agents-template/.env.example:38 AZURE_API_KEY not in monorepo .env.example
Issue: The template adds AZURE_API_KEY which doesn't exist in the monorepo's .env.example or agents-api/src/env.ts schema.
Why: Creates asymmetry — template supports Azure but the core platform doesn't explicitly validate this env var. This is an intentional enhancement per the PR, but worth documenting.
Fix: Consider adding AZURE_API_KEY to the monorepo .env.example for consistency, or document this template-specific enhancement.
Refs: agents-api/src/env.ts:132-145
💭 2) packages/agents-core/src/setup/__tests__/generate-secrets.test.ts Missing test for .env read failure differentiation
Issue: generateSecrets() catches all .env read errors with .catch(() => ''), but no test verifies this behavior or distinguishes ENOENT from permission errors.
Why: While the silent catch is intentional design, a test would document this behavior and catch regressions.
Fix: Add test case verifying behavior when .env read fails.
💭 3) packages/agents-core/src/setup/__tests__/generate-secrets.test.ts Missing test for whitespace-only secret values
Issue: The function uses .trim() to detect empty values, but no test verifies that whitespace-only values like BETTER_AUTH_SECRET= are correctly replaced.
Why: Edge case that could lead to authentication failures if whitespace secrets slip through.
Fix: Add test case with whitespace-only values.
💭 4) packages/agents-core/src/setup/__tests__/generate-secrets.test.ts Missing test for RSA key generation failure recovery
Issue: JWT key generation has a try-catch that logs and continues, but no test verifies other secrets are still generated after RSA failure.
Why: Documents graceful degradation behavior and prevents regressions.
Fix: Add test mocking generateKeyPairSync to throw, verifying other secrets are still generated.
💡 APPROVE WITH SUGGESTIONS
Summary: This is a well-designed unification of the environment setup flows. The architectural decision to copy+inject from .env.example rather than hardcoding a template string is sound and reduces maintenance burden. The secretDefs array pattern for secret generation is clean and extensible. The main actionable item is adding error handling for the .env.example read in the CLI utility to provide a better user experience when template cloning fails. The test coverage is comprehensive (55 tests) with only minor edge cases worth considering.
Discarded (8)
| Location | Issue | Reason Discarded |
|---|---|---|
create-agents-template/.env.example:40-42 |
DEFAULT_PROJECT_ID asymmetry with monorepo |
Intentional template-specific variable per PR design |
create-agents-template/.env.example:69 |
Section header formatting inconsistency | Pre-existing issue in monorepo, not introduced by this PR |
| Template omits sections | Missing GitHub/Slack/PostHog sections | Intentional per PR description — not applicable to quickstart |
setup.ts:268 |
Function rename | Positive observation — follows existing patterns |
utils.test.ts |
Variable case sensitivity test | Low confidence, template is controlled, unlikely scenario |
setup.ts:269 |
Silent catch for .env read | Intentional design — treat missing .env as empty is correct behavior |
| DevOps findings (6) | Various | All INFO severity — positive observations confirming good practices |
Reviewers (5)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
pr-review-errors |
3 | 0 | 1 | 0 | 2 | 0 | 0 |
pr-review-tests |
5 | 0 | 3 | 0 | 0 | 0 | 2 |
pr-review-consistency |
5 | 0 | 1 | 0 | 0 | 0 | 4 |
pr-review-devops |
6 | 0 | 0 | 0 | 0 | 0 | 6 |
pr-review-standards |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 19 | 0 | 5 | 0 | 2 | 0 | 12 |
Note: pr-review-standards returned no findings — the code quality is solid.
|
Review assessment — 2 inline threads from automated review: Thread 1: Missing error handling for
|
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
This is a re-review scoped to the delta (1 commit, 1 file, 8 lines changed).
Delta Analysis
The delta consists of a single change in packages/create-agents/src/utils.ts:
let envExampleContent: string;
try {
envExampleContent = await fs.readFile('.env.example', 'utf-8');
} catch {
throw new Error(
'Could not read .env.example from the template. The template may be corrupted — try running the command again.',
);
}This directly addresses the 🟠 Major issue raised in the previous review — users now see a descriptive error message instead of a cryptic ENOENT when the template is corrupted.
Prior Feedback Status
| Issue | Status |
|---|---|
🟠 Major: Missing error handling for .env.example read |
✅ Addressed in 700f4a2 |
| 🟡 Minor: Success message after JWT failure | Declined — author's explanation is reasonable (errors are already logged separately) |
New Findings in Delta
None. The error handling implementation is correct:
- Uses try-catch around the file read
- Throws with a user-friendly message explaining the likely cause and remediation
- Matches the suggested fix from the prior review
✅ APPROVE
Summary: The delta cleanly addresses the Major issue from the prior review. The error handling is well-implemented with a helpful message. The author's reasoning for declining the Minor suggestion (JWT failure message) is valid — the separate error log already communicates the failure clearly. Ship it! 🚀
Reviewers (0)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Note: No subagent reviewers were dispatched for this delta — the change is a minimal error-handling fix that doesn't require specialized review.
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
This is a re-review scoped to the delta (1 commit, 4 files changed since last automated review).
Delta Analysis
The delta commit (dadb84a6b) makes three categories of consistency improvements:
-
Documentation updates (
agents-docs/content/community/contributing/*.mdx)- Updated to reflect that secrets are now generated by
pnpm setup-devrather than being hardcoded placeholders - Accurate description: "Generate secrets (JWT keys, signing secret, auth secret, UI password) if not already configured"
- Updated to reflect that secrets are now generated by
-
URL consistency (
packages/create-agents/src/utils.ts)- Changed CLI output URLs from
127.0.0.1tolocalhostto align with.env.exampletemplate - Updated
inkeep.config.tstemplate to uselocalhost:3002
- Changed CLI output URLs from
-
Test assertion updates (
packages/create-agents/src/__tests__/e2e/quickstart.test.ts)- Updated assertions to match
localhostURL format - Removed expectation of inline-generated
INKEEP_AGENTS_JWT_SIGNING_SECRET(now deferred togenerateSecrets()) - Added clarifying comment explaining the new behavior
- Updated assertions to match
Prior Feedback Status
| Issue | Status |
|---|---|
🟠 Major: Missing error handling for .env.example read |
✅ Addressed in 700f4a2 |
| 🟡 Minor: Success message after JWT failure | Declined — author's explanation is valid |
New Findings in Delta
None. The delta changes are:
- Internally consistent with the PR's architectural decisions
- Accurately documented in the updated MDX files
- Properly tested with updated assertions
✅ APPROVE
Summary: The delta is a clean consistency pass — docs accurately reflect the new secret generation behavior, URLs are aligned to use localhost consistently, and test assertions match the expected behavior. Prior feedback was appropriately addressed. This unification reduces maintenance burden and eliminates drift between quickstart and contributor flows. Ship it! 🚀
Reviewers (2)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
pr-review-docs |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
pr-review-standards |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Note: Both reviewers confirmed the delta changes are correct with no issues.
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
This is a re-review scoped to the delta (1 commit, 2 files changed since last automated review).
Delta Analysis
The delta commit (893862e7f) contains two targeted E2E test infrastructure fixes:
1. Origin Header Fix (quickstart.test.ts:210, 264)
Changed Origin: manageApiUrl to Origin: dashboardApiUrl for Better Auth sign-up and sign-in fetch calls.
- Why correct: Better Auth's
trustedOriginsincludeshttp://localhost:3000andhttp://localhost:3002but NOThttp://127.0.0.1:*. The dashboard sets auth cookies scoped tolocalhost, so the Origin header must match. - Verified: Cross-referenced with
/packages/agents-core/src/auth/auth.ts:266-272— the fix aligns with the configured trusted origins.
2. Symlink Resolution (utils.ts:277-289)
Added fs.realpath() to resolve symlinks when locating the manage-ui package, with improved error messaging.
- Why correct: The test uses
link:protocol to symlink local packages. Withoutrealpath(), the code looks for.next/standalone/inside the symlink rather than the actual monorepo directory where the build artifacts exist. - Error improvement: Now includes the original symlink path for debugging and actionable guidance ("run turbo build").
Prior Feedback Status
| Issue | Status |
|---|---|
🟠 Major: Missing error handling for .env.example read |
✅ Addressed in 700f4a2 |
| 🟡 Minor: Success message after JWT failure | Declined — author's explanation is valid |
New Findings in Delta
None. The delta changes are:
- Correctly fixing CORS/cookie domain issues in E2E auth tests
- Properly handling symlinked packages in the test infrastructure
- Improving error messages with actionable guidance
✅ APPROVE
Summary: Clean delta! The E2E test infrastructure fixes are correct and well-reasoned. The Origin header fix addresses a real CORS mismatch (verified against the auth config), and the symlink resolution handles pnpm's link: protocol properly. Prior feedback was appropriately addressed. This PR is ready to ship. 🚀
Reviewers (2)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
pr-review-tests |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
pr-review-standards |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Note: Both reviewers confirmed the delta changes are correct with no issues. Minimal reviewer set selected due to the narrow scope (test infrastructure only).
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
This PR unifies .env generation between the quickstart CLI (create-agents) and contributor flow (pnpm setup-dev). The architectural decision to use a "copy+inject" pattern from .env.example is clean and reduces maintenance burden. All prior Major/Minor issues have been addressed or appropriately declined.
💭 Consider (2) 💭
💭 1) generate-secrets.test.ts Missing test for whitespace-only secret values
Issue: The generateSecrets() function uses .trim() to detect empty values, but no test verifies that whitespace-only values like BETTER_AUTH_SECRET= are correctly replaced.
Why: Edge case that could lead to auth failures if whitespace secrets slip through. Low likelihood but the test would document the behavior.
Fix: Add test case with whitespace-only values:
it('should generate secrets when values are whitespace-only', async () => {
mockEnvFileContent = [
'INKEEP_AGENTS_JWT_SIGNING_SECRET= ',
'BETTER_AUTH_SECRET= \t ',
].join('\n');
// ... verify replacement occurs
});Refs: setup.ts:356
💭 2) utils.test.ts Missing test for DEFAULT_PROJECT_ID injection
Issue: The createEnvironmentFiles() function injects DEFAULT_PROJECT_ID from config.projectId, but no test explicitly verifies this injection.
Why: Nice-to-have coverage for completeness. If the injection regresses, users would have an empty project ID.
Fix: Add assertion to existing test:
expect(fs.writeFile).toHaveBeenCalledWith(
'.env',
expect.stringContaining('DEFAULT_PROJECT_ID=activities-planner')
);Refs: utils.ts:533
✅ APPROVE
Summary: This is a well-designed unification of the environment setup flows. The "copy+inject" pattern from .env.example is cleaner than the previous hardcoded template string, and the secretDefs array pattern for secret generation is clean and extensible. All prior feedback was appropriately addressed. The two Consider items are optional test coverage improvements that don't block merging. Ship it! 🚀
Discarded (4)
| Location | Issue | Reason Discarded |
|---|---|---|
generate-secrets.test.ts |
Missing test for RSA key generation failure | Previously raised in prior review and declined by author with valid reasoning |
utils.test.ts |
Missing test for partial variable name collision | Low confidence, unlikely regression with startsWith() pattern |
create-agents-template/.env.example |
Template diverges from monorepo .env.example |
Intentional by design — template is simplified for quickstart users |
create-agents-template/.env.example |
Setup instructions differ from monorepo | Intentional simplification for quickstart users |
Reviewers (6)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
pr-review-standards |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
pr-review-consistency |
2 | 0 | 0 | 0 | 0 | 0 | 2 |
pr-review-docs |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
pr-review-tests |
4 | 0 | 2 | 0 | 0 | 0 | 2 |
pr-review-devops |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
pr-review-errors |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 6 | 0 | 2 | 0 | 0 | 0 | 4 |
Note: Low findings count reflects that this is a clean, well-tested PR with prior issues already addressed.
Ito Test Report ❌21 test cases ran. 20 passed, 1 failed. This test run validated the unified ✅ Passed (20)
❌ Failed (1)
Direct navigation to protected route without auth redirects to login – Failed
📋 View Recording |
- Change OTEL_EXPORTER_OTLP_TRACES_ENDPOINT from active localhost value to empty string in template .env.example. Empty value causes the template's instrumentation guard to skip OTEL initialization, avoiding ~8s request timeouts when no collector is running. setup-dev:optional replaces the value in-place (no duplicate lines). - Add commented OTEL_EXPORTER_OTLP_TRACES_HEADERS with note that it's only needed for SigNoz Cloud. - Prepend turbo build to test:e2e scripts so standalone dashboard artifacts exist before the E2E test runs. Co-Authored-By: Claude Opus 4.6 <[email protected]>
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
This is a re-review scoped to the delta (1 commit, 2 files changed since last automated review at 142bbd17f).
Delta Analysis
The delta commit (e6549be24) contains two targeted fixes:
1. Empty OTEL Endpoint Default (create-agents-template/.env.example:57-59)
Changed OTEL_EXPORTER_OTLP_TRACES_ENDPOINT from http://localhost:14318/v1/traces to empty string, added helpful comment for SigNoz Cloud users.
- Why correct: The
instrumentation.tsin the template explicitly checks for a real OTEL endpoint and skips initialization when empty. This avoids confusing OTEL initialization failures for quickstart users who don't have SigNoz/Jaeger set up. - Verified:
docker-compose.ymlhas a fallback${OTEL_EXPORTER_OTLP_TRACES_ENDPOINT:-http://localhost:14318/v1/traces}for when containers run, so Docker-based deployments still work correctly.
2. Build Step Before E2E Tests (packages/create-agents/package.json:25-26)
Added turbo run build --filter=@inkeep/create-agents --filter=@inkeep/agents-api --filter=@inkeep/agents-cli --filter=@inkeep/agents-manage-ui before e2e test execution.
- Why correct: The e2e tests use
link:protocol to symlink local packages. Without building first, the symlinked packages don't have.next/standalone/artifacts, causingstartDashboardServer()to fail. - Verified: This directly addresses the "Dashboard standalone server not found" issue mentioned in the PR description.
💭 Consider (1) 💭
Inline Comments:
- 💭 Consider:
utils.test.ts:53Test mock drift for OTEL endpoint value
Prior Feedback Status
All prior feedback was appropriately addressed or declined:
- 🟠 Major: Missing error handling for
.env.exampleread — ✅ Addressed in earlier commit - 🟡 Minor: Success message after JWT failure — Declined with valid reasoning
✅ APPROVE
Summary: Clean delta! Both changes are correct and well-reasoned. The empty OTEL endpoint default improves the out-of-box experience for quickstart users, and the build step ensures e2e tests have the artifacts they need. The one Consider item (test mock drift) is a minor test fidelity improvement that doesn't affect functionality. This PR is ready to ship! 🚀
Discarded (0)
No findings were discarded in this delta review.
Reviewers (1)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
pr-review-devops |
1 | 0 | 1 | 0 | 1 | 0 | 0 |
| Total | 1 | 0 | 1 | 0 | 1 | 0 | 0 |
Note: Minimal reviewer set selected due to narrow scope (2 files, ~5 lines of functional changes).
Update mockEnvExample to use empty OTEL_EXPORTER_OTLP_TRACES_ENDPOINT matching the actual create-agents-template/.env.example value. Co-Authored-By: Claude Opus 4.6 <[email protected]>
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
This is a re-review scoped to the delta (1 commit, 1 file, 1 line changed since last automated review at e6549be24).
Delta Analysis
The delta commit (12995ad76) contains a single change:
Test mock alignment (packages/create-agents/src/__tests__/utils.test.ts:53)
Changed mockEnvExample OTEL endpoint from http://localhost:14318/v1/traces to empty string:
- 'OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://localhost:14318/v1/traces',
+ 'OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=',- Why correct: This directly addresses the 💭 Consider item from the previous review about test mock drift. The test mock now matches the actual template (
create-agents-template/.env.example:57). - Impact: Improves test fidelity without functional changes. The tests now validate against realistic template content.
Prior Feedback Status
| Issue | Status |
|---|---|
| 💭 Consider: Test mock drift for OTEL endpoint | ✅ Addressed in this commit |
All prior Major/Minor issues were already addressed in earlier commits.
✅ APPROVE
Summary: This 1-line fix aligns the test mock with the actual template, directly addressing feedback from the previous review. The PR is in excellent shape — the unified .env generation approach is clean, well-tested, and now has consistent test fixtures. Ship it! 🚀
Reviewers (0)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Note: No subagent reviewers were dispatched for this delta — the change is a minimal 1-line test fix that directly addresses prior feedback and doesn't require specialized review.
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
This is a re-review scoped to the delta (1 merge commit since last automated review at 12995ad76).
Delta Analysis
The delta commit (15d0c77bd) is a clean merge from main bringing in 13 commits. None of these commits modify the PR's own files:
| PR Files (unchanged) | Delta Files (from main) |
|---|---|
create-agents-template/.env.example |
agents-work-apps/src/slack/* |
packages/agents-core/src/setup/* |
agents-api/src/domains/run/services/ArtifactParser.ts |
packages/create-agents/src/* |
agents-docs/content/talk-to-your-agents/slack/* |
agents-docs/content/community/contributing/* |
.github/workflows/cypress.yml |
Verification: git diff 12995ad76..15d0c77bd --name-only | grep -E "(create-agents-template|packages/agents-core/src/setup|packages/create-agents|agents-docs/content/community/contributing)" returns no matches.
Prior Feedback Status
All prior feedback was appropriately addressed or declined:
- 🟠 Major: Missing error handling for
.env.exampleread — ✅ Addressed in earlier commit - 🟡 Minor: Success message after JWT failure — Declined with valid reasoning
- 💭 Consider: Test mock drift for OTEL endpoint — ✅ Addressed
Merge Commit Contents (informational)
The 13 commits from main include:
- Slack workspace linking limitation (#2286, #2287)
- Slack message editing fix (#2284)
- Agent name display improvements (#2279, #2281, #2283)
- ArtifactParser updates (#2278)
- Slack citation blocks (#2275)
- Cypress CI workflow rename (#2285)
These are unrelated to this PR's scope (env generation unification).
✅ APPROVE
Summary: Clean merge from main with no modifications to PR-specific files. The previous review at 12995ad76 was already ✅ APPROVE with 0 issues, and the PR's code remains unchanged. The unified .env generation approach is solid — it reduces maintenance burden, eliminates drift between quickstart CLI and contributor flows, and fixes the bypass secret bug. Ready to ship! 🚀
Reviewers (0)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Note: No subagent reviewers were dispatched — the delta contains no changes to PR-specific files. This is a clean merge from main.
Ito Test Report ❌18 test cases ran. 17 passed, 1 failed. This test run verified the Inkeep Agents PR #2212 which unifies ✅ Passed (17)
❌ Failed (1)
Dashboard redirects unauthenticated users to login – Failed
📋 View Recording |
|
🔎💬 Inkeep AI search and chat service is syncing content for source 'Inkeep Agent Framework Docs' |
Summary
Unifies
.envgeneration between the quickstart CLI (create-agents) and the contributor flow (git clone+pnpm setup-dev). The quickstart CLI previously hardcoded ~30 env vars as a template string and generated 5 secrets inline, diverging from the contributor flow which copies.env.exampleand generates only 2 JWT secrets. This caused:INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET— broke auto-login andinkeep pushduringpnpm setup-devgenerateJwtKeys()didn't.env.examplewasn't picked up by the CLIAdditionally fixes two pre-existing CI e2e test failures:
4. 403 INVALID_ORIGIN on signup/login — auth API calls used
127.0.0.1as Origin header, but Better Auth cookies are scoped tolocalhost5. Dashboard standalone server not found —
startDashboardServer()didn't resolve symlinks when using locally-linked packages vialinkLocalPackages()Architectural decisions
Copy+inject over hardcoded template string.
createEnvironmentFiles()now reads.env.exampleand injects CLI-prompted values (API keys, project ID) by finding and replacing lines. This means any new env var added to.env.exampleis automatically available to CLI users without code changes.Secret generation deferred to
generateSecrets(). The CLI no longer generates any secrets (RSA keys, signing secrets, auth secrets). All secret generation is consolidated ingenerateSecrets()(renamed fromgenerateJwtKeys()), which runs duringpnpm setup-dev. This ensures both flows use identical secret generation logic.Conservative placeholder detection.
generateSecrets()only replaces values that are empty, commented out, or match exact placeholder strings (your-secret-key-change-in-production,adminADMIN!@12). User-customized values are never overwritten.localhost for auth, 127.0.0.1 for health checks. The e2e test has two URL constants:
manageApiUrl(127.0.0.1 — for health checks and non-auth API calls) anddashboardApiUrl(localhost — for auth calls and dashboard env vars). Auth calls must use localhost as Origin because Better Auth's cookie domain islocalhost.Changes
create-agents-template/.env.example.env.example#) forgenerateSecrets()detectionOTEL_EXPORTER_OTLP_TRACES_ENDPOINT=set to empty value (not commented out) sosetup-dev:optional'sset_env_varcan find and replace in-place without creating duplicatesOTEL_EXPORTER_OTLP_TRACES_HEADERS) commented with explanatory note that it's only needed for SigNoz Cloud, not local devlocalhostthroughout (not127.0.0.1)packages/agents-core/src/setup/setup.tsgenerateJwtKeys()→generateSecrets()secretDefsarray handling 3 additional secrets:INKEEP_AGENTS_JWT_SIGNING_SECRET(hex 32 bytes),BETTER_AUTH_SECRET(hex 32 bytes),INKEEP_AGENTS_MANAGE_UI_PASSWORD(base64url 6 bytes)packages/create-agents/src/utils.tscreateEnvironmentFiles()to copy+inject pattern (~20 lines, down from ~80)ANTHROPIC_API_KEY,OPENAI_API_KEY,GOOGLE_GENERATIVE_AI_API_KEY,AZURE_API_KEY,DEFAULT_PROJECT_ID127.0.0.1:3002tolocalhost:3002packages/create-agents/src/__tests__/e2e/quickstart.test.ts.envassertions to match copy+inject pattern (no JWT secret check, unquoted localhost URL)dashboardApiUrl(localhost) as Origin header instead ofmanageApiUrl(127.0.0.1)packages/create-agents/src/__tests__/e2e/utils.tsfs.realpath()tostartDashboardServer()to resolve symlinks when packages are linked vialinkLocalPackages()turbo buildpackages/create-agents/package.jsonturbo run buildstep totest:e2eandtest:e2e:watchscripts to ensure dependent packages (@inkeep/create-agents,@inkeep/agents-api,@inkeep/agents-cli,@inkeep/agents-manage-ui) are built before e2e tests runTests
generate-secrets.test.tswith 5 test cases: all-placeholder, all-custom, mixed, empty-value, missing-linesutils.test.tswith 4 new tests for copy+inject approach, bypass secret presence, no inline secret generation.env.examplecontent with actual template (OTEL endpoint empty value)Documentation
environment-configuration.mdxandget-started.mdxto reflect unified env generation flow127.0.0.1→localhostreferences in CLI reference docsTest plan
Manual QA verified with real CLI binary, real crypto, Docker databases, API server, and ad-hoc test scripts. Full re-verification after rebase onto main (commit
142bbd17f). ~300 total assertions, 0 failures.Formal tests (25 passing)
Template completeness (35 assertions)
Validated
create-agents-template/.env.examplefor completeness, correctness, and separation from monorepo.ANTHROPIC_API_KEY,OPENAI_API_KEY,GOOGLE_GENERATIVE_AI_API_KEY,AZURE_API_KEY,DEFAULT_PROJECT_IDBETTER_AUTH_SECRET,INKEEP_AGENTS_MANAGE_UI_PASSWORDENVIRONMENT, both DB URLs, API URL,TENANT_ID, bypass secretBETTER_AUTH_SECRET=your-secret-key-change-in-production,UI_PASSWORD=adminADMIN!@12#for generateSecrets detectionGITHUB_APP_ID,SLACK_CLIENT_ID,PUBLIC_POSTHOG_KEY,NEXT_PUBLIC_ENABLE_WORK_APPSall absentLive CLI flow (22 assertions)
Ran the real compiled CLI binary (
node dist/index.js) against local templates with--local-agents-prefix,--skip-install,--disable-git.INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET=test-bypass-secret-for-ci(the bug this PR fixes)activities-plannerLive setup-dev flow (26 assertions)
Ran the real
generateSecretslogic with realnode:cryptoagainst the CLI-produced .env file.BEGIN PRIVATE KEY/BEGIN PUBLIC KEY)your-secret-key-change-in-productionandadminADMIN!@12both goneE2E 403 Origin fix (10 assertions)
Parsed the actual test file to verify the Origin header contract.
manageApiUrl = http://127.0.0.1:3002(health checks),dashboardApiUrl = http://localhost:3002(auth)manageApiUrl(127.0.0.1)dashboardApiUrl(localhost), notmanageApiUrl(127.0.0.1)dashboardApiUrl(localhost), notmanageApiUrl(127.0.0.1)dashboardApiUrl, 0 uses ofmanageApiUrlas OriginINKEEP_AGENTS_API_URL: dashboardApiUrllocalhost:3002(not 127.0.0.1), no JWT_SIGNING_SECRET check (deferred)fs.realpath()before standalone dir lookup, error includes resolved path + build suggestiontrustedOriginsincludeslocalhost:3000,localhost:3002; no127.0.0.1Docker E2E: setup-dev with real databases
Ran the real
pnpm setup-devagainst Docker containers (Doltgres :5432, PostgreSQL :5433, SpiceDB :50051)..env.example→.envcopied with correct header and all sectionsDocker E2E: Idempotency test
114afe85094b00f593c68bd859e19b4dbefore and after)Docker E2E: API server + auth flow
Started the API server from the PR branch against Docker databases.
Additional verification
<generated by setup-dev>, all 4 secret types, localhost URLsstartsWithfor var matching (no partial collisions); placeholders are exact string comparisonsHow to verify
npx @inkeep/create-agents my-test-project, provide API keys, runpnpm setup-dev— verify.envhas all vars includingINKEEP_AGENTS_MANAGE_API_BYPASS_SECRETand generated secretspnpm setup-dev— verify.envcreated from.env.examplewith all secrets generatedpnpm setup-devis idempotent (running twice doesn't regenerate secrets)🤖 Generated with Claude Code