Add .env.example and fix React Hooks rule violation

[Copilot]

Addresses technical hygiene gaps: missing environment variable documentation, conditional hook call violating Rules of Hooks, and vulnerable dependencies.

Changes

.env.example (new)

• Documents 12 frontend (VITE_*) and 28 backend environment variables
• Inline comments for purpose and format
• Setup instructions included

src/components/onboarding/OnboardingTrigger.jsx

• Fixed conditional useOnboarding() call inside try-catch block
• Hook now called unconditionally at component top level

// Before: violates Rules of Hooks
let onboardingContext;
try {
  onboardingContext = useOnboarding();  // ❌ conditional
} catch (error) {
  return null;
}

// After: compliant
const onboardingContext = useOnboarding();  // ✅ unconditional
if (!onboardingContext) {
  return null;
}

package-lock.json

• jspdf 4.0.0 → 4.1.0 (fixes 4 vulnerabilities)
• lodash 4.17.21 → 4.17.23 (fixes prototype pollution)
• Auto-applied via npm install, all patch-level updates

.gitignore

• Added !.env.example exception to allow committing example file

Security Impact

• 0 high/critical vulnerabilities remaining (was 1 high, 2 moderate)
• 1 low severity in quill requires breaking change (not addressed)

Note

CODEBASE_AUDIT.md referenced Layout.jsx line 98, but no hooks violations found there. Actual violation was in OnboardingTrigger.jsx.

Original prompt

ROLE:
You are a Senior Staff Engineer acting as a short-horizon execution agent. Your goal is to close all immediate technical hygiene gaps safely and verifiably within the existing codebase.

SCOPE:
Timebox: 1 week
Risk tolerance: Low (no breaking changes)
Focus: Correctness, security, developer experience

OBJECTIVES:

1. Create a .env.example file that lists ALL required environment variables used anywhere in the repo.
   • No secrets
   • Clear naming
   • Inline comments describing purpose and format
2. Identify and fix all React Hooks rule violations in src/Layout.jsx.
   • Ensure hooks are called unconditionally
   • Preserve existing behavior and UI
3. Run npm audit fix (non-breaking only).
   • Commit the updated package-lock.json
   • Do NOT upgrade major versions unless strictly required

CONSTRAINTS:

• Do not refactor unrelated code
• Do not change runtime behavior unless it fixes a bug
• Prefer minimal diffs
• If a change is risky, explain it before applying

DELIVERABLES:

• Diff-style explanation of changes
• Updated .env.example
• Confirmation that hooks now pass eslint-react-hooks
• Confirmation that npm audit reports zero high/critical issues

VERIFICATION:

• npm install succeeds
• npm run build succeeds
• App boots without warnings related to hooks or env vars

OUTPUT FORMAT:

1. Summary of fixes
2. File-by-file change list
3. Any remaining risks or follow-ups

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Summary by cubic

Adds a .env.example that documents all env vars (frontend and backend) and fixes a React Hooks rule in OnboardingTrigger.jsx. Also includes patch dependency updates from npm audit to clear security warnings.

• New Features

  • Added .env.example with all VITE_* and backend vars, inline purpose/format notes, and setup steps (no secrets).
  • Updated .gitignore to allow committing .env.example.

• Bug Fixes

  • Call useOnboarding at the top level in src/components/onboarding/OnboardingTrigger.jsx; behavior unchanged.
  • Applied npm audit patch updates: jspdf 4.1.0, lodash/lodash-es 4.17.23, dompurify 3.3.1 (optional). No high/critical issues remain.

^{Written for commit 220d564. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="src/components/onboarding/OnboardingTrigger.jsx">

<violation number="1" location="src/components/onboarding/OnboardingTrigger.jsx:13">
P2: `useOnboarding()` throws when no provider is present, so the new unconditional call will throw before the null check executes. This reintroduces a runtime crash when `OnboardingTrigger` is rendered outside `OnboardingProvider`, and the `if (!onboardingContext)` guard is unreachable. Consider adding a non-throwing hook (or exporting the context) for this component’s fallback behavior.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: useOnboarding() throws when no provider is present, so the new unconditional call will throw before the null check executes. This reintroduces a runtime crash when OnboardingTrigger is rendered outside OnboardingProvider, and the if (!onboardingContext) guard is unreachable. Consider adding a non-throwing hook (or exporting the context) for this component’s fallback behavior.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At src/components/onboarding/OnboardingTrigger.jsx, line 13:

<comment>`useOnboarding()` throws when no provider is present, so the new unconditional call will throw before the null check executes. This reintroduces a runtime crash when `OnboardingTrigger` is rendered outside `OnboardingProvider`, and the `if (!onboardingContext)` guard is unreachable. Consider adding a non-throwing hook (or exporting the context) for this component’s fallback behavior.</comment>

<file context>
@@ -9,12 +9,11 @@ import {
-  } catch (error) {
-    // If we're not inside OnboardingProvider, don't render
+  // Call hook unconditionally at the top level (Rules of Hooks)
+  const onboardingContext = useOnboarding();
+
+  // Handle case where context is not available
</file context>

[Copilot]

Pull request overview

Adds environment-variable setup documentation and updates onboarding UI code to comply with React Hooks rules, alongside patch-level dependency lockfile updates.

Changes:

• Added a committed .env.example with documented frontend (VITE_*) and backend env vars, and adjusted .gitignore to allow it.
• Updated OnboardingTrigger.jsx to call useOnboarding() unconditionally.
• Updated package-lock.json to pick up patched dependency versions (e.g., jspdf, lodash).

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated 2 comments.

File	Description
src/components/onboarding/OnboardingTrigger.jsx	Moves useOnboarding() to unconditional top-level call; current implementation needs adjustment to preserve “safe outside provider” behavior.
package-lock.json	Patch/minor lockfile updates for vulnerability remediation.
.gitignore	Un-ignores .env.example so it can be committed.
.env.example	Introduces example env var file with setup instructions; contains at least one “required” var not used by runtime code.

[Copilot]

useOnboarding() throws when used outside OnboardingProvider (see OnboardingProvider.jsx), so calling it unconditionally here will crash before the if (!onboardingContext) guard runs. To keep the “render nothing outside provider” behavior while staying Rules-of-Hooks compliant, switch to an optional context read (e.g., export/use the raw context with useContext), or add a useOptionalOnboarding() hook that returns undefined instead of throwing and use that here.

[Copilot]

.env.example documents VITE_BASE44_API_URL as a required frontend variable, but the runtime client initialization uses VITE_BASE44_BACKEND_URL/VITE_BASE44_APP_ID via src/lib/app-params.js and src/api/base44Client.js; VITE_BASE44_API_URL is only referenced in docs. Consider removing it from the “Required” section or marking it optional / aligning the code+docs on a single variable name to avoid confusing setup.

Suggested change

	# Base44 Configuration (Required)
	VITE_BASE44_APP_ID=your_base44_app_id_here
	VITE_BASE44_BACKEND_URL=https://your-base44-backend.example.com
	# Base44 Configuration (Required: VITE_BASE44_APP_ID and VITE_BASE44_BACKEND_URL)
	VITE_BASE44_APP_ID=your_base44_app_id_here
	VITE_BASE44_BACKEND_URL=https://your-base44-backend.example.com
	# Optional: reserved for future direct Base44 API calls; not used by the current frontend client