chore: production phase 1 setup (env + gitignore)

[digitalstore2025]

User description

Adds initial production readiness files: .gitignore and environment template. Part of phase 1 production hardening.

Summary by Sourcery

Set up initial production readiness configuration files for the repository.

Chores:

• Introduce a base .gitignore for the project.
• Add a template .env.example file for configuring environment variables.

---

CodeAnt-AI Description

Provide the environment variables needed to set up the app

What Changed

• Added an example environment file with the required Gemini API key placeholder
• Included the app name value expected for local and production setup

Impact

✅ Simpler app setup
✅ Fewer missing environment variable issues
✅ Clearer deployment configuration

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Introduces initial production readiness scaffolding by updating the root .gitignore and adding a new .env.example file to standardize environment configuration for production phase 1.

File-Level Changes

Change	Details	Files
Initialize and standardize environment configuration via an example env file.	Add a new .env.example template file to document required environment variables and their expected usage Provide a baseline for developers and ops to create local and production .env files consistently	.env.example
Tighten repository hygiene by updating ignored files for production-focused workflows.	Adjust .gitignore to exclude environment files and other non-source artifacts from version control Ensure production secrets and generated artifacts are not accidentally committed	.gitignore

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fd7d9db7d4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore ignore for mode-specific local env files

Narrowing the ignore rules to .env, .env.local, and .env.production drops coverage that previously came from *.local, so files like .env.production.local / .env.development.local are now tracked by default. Those files are commonly used for machine-specific secrets, so this change creates a realistic path to accidentally committing API keys during normal local or release workflows.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 41f6ac5636

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Prevent copying local secrets into Docker image

The COPY . . step includes the entire build context in image layers, and this repo does not add a .dockerignore. In a normal developer or CI environment where .env/.env.* files exist locally (even if gitignored), those secrets are baked into the image and can be exposed when the image is shared or pushed to a registry. Limit copied files or add a .dockerignore that excludes env files and other local artifacts.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Use a production server instead of vite preview

The container entrypoint runs npm run preview, but Vite documents preview as a way to locally verify a production build rather than a hardened production runtime. Using it as the long-running server for deployment can lead to avoidable reliability/performance issues; switch the image runtime to a production-grade static server for the built dist output.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2a796483fc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Bind API listener to environment-configured port

The server always listens on 4000, which ignores both API_PORT from apps/api/.env.example and the PORT value that platforms like Vercel/Render/Heroku inject at runtime. In those environments, health checks target the assigned port, so the service can boot but remain unreachable. Read from process.env.PORT (with a fallback) when calling listen.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Do not return password hash from register handler

This response serializes the full user object, which includes the bcrypt hash in password. Returning credential hashes to clients (and logs/proxies along the path) unnecessarily exposes material for offline cracking and is a security regression; return only non-sensitive fields (e.g., id/email/token) instead.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Add missing auth runtime dependencies

apps/api imports jsonwebtoken and bcryptjs in src/middleware/auth.js and src/routes/auth.js, but neither package is declared in this package's dependencies. In a clean install, importing these modules for auth wiring will fail with module resolution errors, blocking auth endpoints from starting.

Useful? React with 👍 / 👎.

[digitalstore2025]

Growth phase plan added for launch-to-scale execution:\n\n1. Add product analytics (page views, signup funnel, pricing CTA clicks).\n2. Add onboarding flow after signup.\n3. Add email capture / waitlist component on landing and pricing pages.\n4. Add SEO essentials: title, description, social preview, sitemap.\n5. Add Stripe checkout wiring for conversion tracking.\n6. Add admin dashboard metrics for users, signups, and paid conversions.\n\nCurrent repo status in this PR:\n- Frontend present\n- Backend API present\n- Auth present\n- Prisma database layer present\n- Pricing page present\n- Stripe placeholder present\n\nRemaining manual launch steps outside repo code:\n- Merge PR #31\n- Set production env vars\n- Deploy frontend and backend\n- Configure PostgreSQL and run Prisma migration\n- Connect real Stripe keys and price IDs\n\nAfter merge, next implementation branch can focus on analytics + onboarding + conversion tracking.

[digitalstore2025]

Growth system execution plan for the current SaaS repo:\n\nPriority 1 — acquisition instrumentation\n- Add analytics provider (PostHog or GA4) to frontend shell\n- Track landing page views\n- Track pricing page views\n- Track CTA clicks on pricing buttons\n- Track signup starts and signup completes\n\nPriority 2 — conversion improvements\n- Replace placeholder pricing buttons with working routes to signup or checkout\n- Add onboarding steps after register\n- Add testimonial / social proof blocks on landing page\n- Add email capture form for users not ready to buy\n\nPriority 3 — retention loop\n- Add in-app empty-state guidance\n- Add email follow-up automation for unfinished signup\n- Add usage milestone prompts\n- Add referral prompt after first successful use\n\nPriority 4 — operator visibility\n- Add admin metrics page: visits, signups, login count, checkout attempts\n- Add backend event logging for auth and checkout endpoints\n\nSuggested next code branch after merge of this PR:\n- feat/growth-analytics-and-onboarding\n\nDefinition of success for first 7 days after launch:\n- 100 landing visits\n- 10 signup attempts\n- 3 completed accounts\n- 1 checkout attempt\n- 1 paid conversion\n\nThis PR already establishes the product base: frontend, backend, auth, Prisma, pricing page, and Stripe placeholder. The next implementation cycle should focus on analytics, onboarding, and conversion instrumentation rather than new infrastructure.

[digitalstore2025]

Auto growth system blueprint for the next implementation cycle:\n\n1) Acquisition automation\n- Add waitlist / lead capture widget to landing and pricing pages\n- Persist captured emails in backend storage\n- Add referral code field during signup\n\n2) Activation automation\n- Add guided onboarding after account creation\n- Track first successful action in product\n- Trigger in-app prompt if user has not completed first action\n\n3) Retention automation\n- Add backend event log for signup, login, pricing view, checkout click\n- Trigger reminder workflow for incomplete signup or inactive users\n- Add simple milestone nudges after first successful use\n\n4) Monetization automation\n- Replace placeholder pricing CTA with working signup / checkout routing\n- Track checkout attempts and conversion outcome\n- Add plan selection state to frontend\n\n5) Referral / loop automation\n- Generate shareable referral code after signup\n- Reward invited user or inviter with temporary upgrade flag\n- Add share prompt after successful first result\n\n6) Operator dashboard\n- Add admin metrics route for visits, leads, signups, logins, checkout attempts, paid conversions\n- Show funnel drop-off by step\n\nRecommended next branch name:\nfeat/auto-growth-system\n\nSuccess criteria for first operating cycle:\n- Landing visits tracked\n- Email captures stored\n- Signup funnel tracked\n- Pricing CTA tracked\n- At least one referral path implemented\n\nThis should be implemented after merging PR #31 so growth automation builds on the current product base rather than parallel incomplete branches.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bd7069db34

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Add required API vars to the env example

The new API template only includes Stripe keys, but this commit also introduces hard requirements for DATABASE_URL (Prisma datasource) and JWT_SECRET (token sign/verify). In a fresh environment configured from this file, auth/database paths fail at runtime because those variables are absent, which breaks the production bootstrap flow this change is meant to enable. Add the missing required keys (and the port variable used by the server) to this example file.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Handle Prisma failures inside async auth route

This await prisma.user.create(...) call is unguarded, so expected failures like duplicate email (User.email is unique) or transient DB errors reject the async handler. With Express 4 in this repo, rejected async route promises are not automatically forwarded, which can surface as unhandled rejections and may terminate the process under Node 20 defaults instead of returning a controlled HTTP error. Wrap this route in explicit error handling and map known Prisma errors to 4xx/5xx responses.

Useful? React with 👍 / 👎.

[digitalstore2025]

Deployment and first-100-users execution note:\n\n1. Merge this PR to main.\n2. Set production environment variables for frontend and API.\n3. Deploy frontend on Vercel and API on Railway/Render.\n4. Provision PostgreSQL and run Prisma migration.\n5. Connect real Stripe keys and price ID.\n6. Launch first-user funnel: landing -> pricing -> signup -> checkout.\n7. Track only five metrics for week 1: landing visits, pricing views, signup starts, signup completes, checkout attempts.\n\nImportant blockers still visible in this PR review and should be addressed before production traffic:\n- Harden Docker build context and runtime\n- Ensure API env example includes all required variables\n- Prevent returning password hash from register response\n- Ensure API binds to runtime-provided PORT\n\nAfter merge, the next branch should be dedicated to conversion instrumentation and onboarding, not infra expansion.