indifferentketchup/broccolini-bot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
21618efbad9515f287f0235382e46aa9b944d575
broccolini-bot/docs/setup/ENV_AND_SECURITY.md
samkintop 6821424663 First upload
2026-02-17 21:49:58 -06:00

4.0 KiB
Raw Blame History

Environment, Test Env, and Security

Test environment (prevent data loss)

.env is production/live. Changes to .env can affect real tickets, Discord, Gmail, and MongoDB. To try config changes safely:

  1. Copy the test template:
    cp .env.test.example .env.test

  2. Edit .env.test with test-only values (e.g. test guild, test MongoDB database name, test API URL). Use a separate test DB in MONGODB_URI to avoid touching production data.

  3. Run the bot with the test env:
    npm run start:test
    Or: ENV_FILE=.env.test node broccolini-discord.js

  4. Other scripts with test env:

    • npm run test-mongodb:test — test MongoDB connection using .env.test

  5. After confirming behavior, migrate only the desired variables from .env.test into .env (manually). Do not overwrite .env blindly.

Rule: New or risky env changes are done in .env.test first; only after confirmation are they applied to .env.

Agent / AI rules

  • Changes to .env by an agent (e.g. Cursor) must require explicit user confirmation. Do not modify .env automatically. Prefer proposing changes to .env.test or listing the exact edits for the user to apply to .env.
  • Do not commit .env or .env.test. Only .env.example and .env.test.example are committed (no secrets).

Security checklist

  • Secrets: All secrets live in .env (or .env.test for test). Never commit them. .gitignore excludes .env and .env.* except .env.example and .env.test.example.
  • Code: No eval() or new Function() of user input. No hardcoded tokens, passwords, or API keys in source.
  • Config: Credentials are read from process.env via config.js; config is loaded once at startup from the file specified by ENV_FILE or default .env.
  • MongoDB: Use a dedicated user and database; restrict network access (Atlas IP allowlist or VPC). For test, use a separate DB or cluster.
  • Discord / Google: Use tokens with minimal required scopes; rotate if compromised.
  • HTML in emails: LOGO_URL, EMAIL_SIGNATURE, and closure messages are escaped in outbound HTML to prevent injection.
  • Healthcheck: Optional HEALTHCHECK_HOST=127.0.0.1 in .env binds the healthcheck server to localhost only; omit to listen on all interfaces.
  • Dependencies: Run npm audit periodically and fix or accept risk for reported vulnerabilities.

Cleanup and redundancy

  • Single source of truth for env keys: .env.example and .env.test.example list all supported variables. Defaults for optional vars live in config.js; do not duplicate default values in both .env.example and config.js for the same value (.env.example documents, config.js implements).
  • No duplicate env files: Use .env for live, .env.test for test; do not commit .env.local, .env.production, etc. unless documented and gitignored as needed.
  • Parent repo (IB-Discord-Bot): Broccolini Bot does not reference sibling paths (e.g. ../ngrok) in code. Run order and ports are documented in ~/IB-Discord-Bot/README.md.

Connection to IB-Discord-Bot stack

Broccolini Bot is a subproject of IB-Discord-Bot. It does not import or require files outside broccolini-bot/. Integration is via:

  • Ports: Broccolini Bot healthcheck uses DISCORD_ONLY_PORT (default 5000). Use a different port in .env.test (e.g. 5001) if running bot and test bot on the same machine.

See parent ~/IB-Discord-Bot/README.md for run order, ports, and troubleshooting.

Quick reference

File / command Purpose
.env Live config (never commit).
.env.test Test config (never commit).
.env.example Template for .env (committed).
.env.test.example Template for .env.test (committed).
ENV_FILE=.env.test Load .env.test instead of .env.
npm run start:test Run bot with .env.test.
npm run test-mongodb:test Test MongoDB using .env.test.
Reference in New Issue View Git Blame Copy Permalink