[DX] Clean up .env.example: remove duplicates, add source comments, improve onboarding

[udaycodespace]

PR Description

Summary

This PR cleans up .env.example to improve first-time contributor onboarding by removing duplicate entries, adding concise source comments, and including cross-platform setup instructions.

Changes

• Removed duplicate Razorpay env variables (fixes [DX] Duplicate Razorpay env entries in .env.example #207)
• Added source comments for credentials:
  • Supabase: direct dashboard link
  • Resend: API keys + webhook setup links
  • Razorpay: unified comments per variable
  • Auth secrets: quick openssl example
• Added cross-platform copy instructions at the top:
  • Linux/macOS: cp .env.example .env
  • PowerShell: Copy-Item .env.example .env

Why this matters

• Reduces confusion during local setup
• Makes it clear where to obtain each credential
• Helps Windows users avoid command syntax issues
• Keeps comments short and actionable

Testing

• Verified all env variables are present and non-duplicated
• Confirmed comments are concise and include correct dashboard links
• Tested copy commands on Linux and PowerShell

Closes #207

Summary by CodeRabbit

• Documentation
  • Enhanced environment configuration setup guide with explicit copy commands for Linux, macOS, and PowerShell.
  • Added clearer authentication guidance for generating secure configuration values.
  • Reorganized and consolidated external service configuration sections (Supabase, Resend, Razorpay) for improved clarity.

[coderabbitai]

Warning

Review limit reached

@udaycodespace, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 57 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4868405b-9d2b-4ce2-8a41-1b2411d5bde7

📥 Commits

Reviewing files that changed from the base of the PR and between 76bebe2 and 2c868fb.

📒 Files selected for processing (1)

• .env.example

📝 Walkthrough

Walkthrough

This PR updates .env.example to clarify setup steps with explicit copy commands for different operating systems, adds guidance for authentication secret generation, and consolidates external service configuration comments while deduplicating Razorpay environment variable entries.

Changes

Environment Configuration Refresh

Layer / File(s)	Summary
Setup instructions and authentication guidance .env.example	Replaced generic copy-to-.env instruction with explicit Linux/macOS (cp) and PowerShell (Copy-Item) commands. Added authentication section guidance explaining how to generate random string values for secrets.
External services consolidation and Razorpay deduplication .env.example	Reorganized Supabase, Resend, Frontend, and Billing sections with refreshed documentation comments. Removed duplicate RAZORPAY_KEY_ID and RAZORPAY_KEY_SECRET entries and consolidated placeholders while keeping RAZORPAY_WEBHOOK_SECRET present.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops through setup files with glee, 🐰
Copy-paste commands now plain for all to see,
Razorpay twins no more shall confuse,
Clear auth guidance—no secrets to lose! ✨
Configuration clarity, our gift to thee!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main changes: removing duplicates, adding source comments, and improving onboarding for .env.example.
Linked Issues check	✅ Passed	The PR removes duplicate Razorpay environment variables, adds source comments with dashboard links and setup instructions, and includes cross-platform copy commands as required by issue #207.
Out of Scope Changes check	✅ Passed	All changes are focused on .env.example cleanup and onboarding improvements directly aligned with issue #207; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.env.example:
- Line 58: Add a single trailing newline at the end of the .env.example file so
the file ends with a blank line (this fixes the dotenv-linter EndingBlankLine
warning); locate the RAZORPAY_WEBHOOK_SECRET line and ensure there is one
newline character after it (no extra characters or spaces).
- Around line 21-24: The ENCRYPTION_KEY guidance is inconsistent with how the
code decodes it (Buffer.from(..., 'hex') in
packages/common/src/utils/encryption.js); update the .env.example ENCRYPTION_KEY
line to instruct generating a hex string (e.g., use openssl rand -hex 32) and
specify the expected length (64 hex chars for a 32-byte key) so the env value
matches Buffer.from(..., 'hex') at runtime. Also briefly clarify that
JWT_SECRET/API_KEY_SALT can remain base64 if desired, but ENCRYPTION_KEY must be
hex.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5526b44b-f770-4802-bf0d-2aed1fab482d

📥 Commits

Reviewing files that changed from the base of the PR and between 1cf5a6e and 76bebe2.

📒 Files selected for processing (1)

• .env.example

[yash-pouranik]

i created secrets from crypy.randombytes(32).tostring('hex')
@coderabbitai

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@yash-pouranik Thanks for sharing! That's a valid Node.js approach — crypto.randomBytes(32).toString('hex') generates a 64-character hex string, which works well as an auth secret.

Since this project likely uses Node.js, it might be worth adding it as an inline alternative in the .env.example comment alongside the openssl example, so contributors can pick whichever tool they have available:

# Generate a random secret: openssl rand -base64 32
# Or with Node.js: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

That way, Windows users without openssl can still easily generate a secret. Would you like to include that in this PR?