chore(ci,env): align env variables and workflows

- Clean .env (remove embedded JSON), add VITE_GOOGLE_OAUTH_CLIENT_ID and server GOOGLE_OAUTH_CLIENT_ID
- Update .env.example with VITE_GOOGLE_OAUTH_CLIENT_ID and docs
- Harden static-analysis CI to include both frontend and backend envs
- Expand .gitignore to exclude all Firebase service account keys and CLI state
- Track firebase.json hosting config

Build/lint pass locally; Firebase service account files now protected from git.

Author: MStarRobotics

.env.example

@@ -15,6 +15,9 @@ VITE_FIREBASE_MEASUREMENT_ID=
 # reCAPTCHA v2 site key for phone auth (invisible or container-based)
 VITE_FIREBASE_RECAPTCHA_SITE_KEY=
 
+# Google Identity (frontend sign-in)
+VITE_GOOGLE_OAUTH_CLIENT_ID=
+
 # Backend / server configuration
 PORT=4000
 JWT_SECRET=update-this-secret

.github/workflows/static-analysis.yml

@@ -28,26 +28,36 @@ jobs:
           cache: 'npm'
 
       - name: Create CI .env
-        env:
-          VITE_FIREBASE_API_KEY: ${{ secrets.VITE_FIREBASE_API_KEY }}
-          VITE_FIREBASE_AUTH_DOMAIN: ${{ secrets.VITE_FIREBASE_AUTH_DOMAIN }}
-          VITE_FIREBASE_PROJECT_ID: ${{ secrets.VITE_FIREBASE_PROJECT_ID }}
-          VITE_FIREBASE_STORAGE_BUCKET: ${{ secrets.VITE_FIREBASE_STORAGE_BUCKET }}
-          VITE_FIREBASE_MESSAGING_SENDER_ID: ${{ secrets.VITE_FIREBASE_MESSAGING_SENDER_ID }}
-          VITE_FIREBASE_APP_ID: ${{ secrets.VITE_FIREBASE_APP_ID }}
-          VITE_FIREBASE_MEASUREMENT_ID: ${{ secrets.VITE_FIREBASE_MEASUREMENT_ID }}
-          VITE_GEMINI_API_KEY: ${{ secrets.VITE_GEMINI_API_KEY }}
         run: |
-          {
-            echo "VITE_FIREBASE_API_KEY=$VITE_FIREBASE_API_KEY"
-            echo "VITE_FIREBASE_AUTH_DOMAIN=$VITE_FIREBASE_AUTH_DOMAIN"
-            echo "VITE_FIREBASE_PROJECT_ID=$VITE_FIREBASE_PROJECT_ID"
-            echo "VITE_FIREBASE_STORAGE_BUCKET=$VITE_FIREBASE_STORAGE_BUCKET"
-            echo "VITE_FIREBASE_MESSAGING_SENDER_ID=$VITE_FIREBASE_MESSAGING_SENDER_ID"
-            echo "VITE_FIREBASE_APP_ID=$VITE_FIREBASE_APP_ID"
-            echo "VITE_FIREBASE_MEASUREMENT_ID=$VITE_FIREBASE_MEASUREMENT_ID"
-            echo "VITE_GEMINI_API_KEY=$VITE_GEMINI_API_KEY"
-          } > .env
+          cat <<'EOF' > .env
+          # Frontend (Vite)
+          VITE_FIREBASE_API_KEY=
+          VITE_FIREBASE_AUTH_DOMAIN=
+          VITE_FIREBASE_PROJECT_ID=
+          VITE_FIREBASE_STORAGE_BUCKET=
+          VITE_FIREBASE_MESSAGING_SENDER_ID=
+          VITE_FIREBASE_APP_ID=
+          VITE_FIREBASE_MEASUREMENT_ID=
+          VITE_GOOGLE_OAUTH_CLIENT_ID=
+          VITE_GEMINI_API_KEY=
+          VITE_PUBLIC_ONCHAINKIT_API_KEY=
+          VITE_BASE_RPC_URL=https://sepolia.base.org
+          VITE_FRACTAL_RECIPE_CONTRACT_ADDRESS=
+          VITE_FRACTAL_RECIPE_DEPLOY_BLOCK=0
+
+          # Backend (server)
+          PORT=4000
+          JWT_SECRET=ci-secret
+          JWT_TTL_SECONDS=3600
+          CORS_ORIGIN=http://localhost:5173
+          FIREBASE_PROJECT_ID=ci
+          FIREBASE_CLIENT_EMAIL=
+          FIREBASE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n\n-----END PRIVATE KEY-----\n"
+          GOOGLE_OAUTH_CLIENT_ID=
+          PASSWORD_MIN_LENGTH=10
+          PWD_RESET_OTP_TTL_MS=600000
+          PWD_RESET_MAX_ATTEMPTS=5
+          EOF
 
       - name: Install dependencies
         run: npm install

.gitignore

@@ -14,8 +14,12 @@ dist-ssr
 .env
 .env.*
 
-# Firebase service account (keep out of git)
-zero-e6888-firebase-adminsdk-fbsvc-c1f10a9df2.json
+# Firebase service accounts (keep out of git)
+zero-e6888-firebase-adminsdk-*.json
+
+# Firebase CLI local state
+.firebase/
+.firebaserc
 
 # Editor directories and files
 .vscode/*

README.md

@@ -95,42 +95,49 @@ These can be wired into UI buttons as needed. For SMS delivery of OTP in server
 
 ## How to operate and run
 
-1) Install toolchain and dependencies
-```bash
-npm ci
-```
+1. Install toolchain and dependencies
 
-2) Populate `.env` (copy from `.env.example`). For Firebase Admin, escape newlines in `FIREBASE_PRIVATE_KEY` using `\n`.
+        ```bash
+        npm ci
+        ```
 
-3) Local quality gates
-```bash
-npm run lint
-npm run typecheck
-npm run build
-```
+2. Populate `.env` (copy from `.env.example`). For Firebase Admin, escape newlines in `FIREBASE_PRIVATE_KEY` using `\n`.
 
-4) Start backend and frontend (separate terminals)
-```bash
-npm run server    # http://localhost:4000
-npm run dev       # http://localhost:5173
-```
+3. Run local quality gates
 
-5) Test APIs quickly (optional)
-```bash
-curl http://localhost:4000/health
-```
+        ```bash
+        npm run lint
+        npm run typecheck
+        npm run build
+        ```
 
-6) E2E auth smoke test (server must be running)
-```bash
-npm run test:e2e-auth
-```
+4. Start backend and frontend (separate terminals)
+
+        ```bash
+        npm run server    # http://localhost:4000
+        npm run dev       # http://localhost:5173
+        ```
+
+5. Test APIs quickly (optional)
+
+        ```bash
+        curl http://localhost:4000/health
+        ```
+
+6. Execute the E2E auth smoke test (server must be running)
+
+        ```bash
+        npm run test:e2e-auth
+        ```
 
 Postman:
+
 - Import `postman/FractalAuth.postman_collection.json`
 - Set `baseUrl` to your server (default `http://localhost:4000`)
 - Use `token` variable after logging in to call protected endpoints
 
 Secrets hygiene:
+
 - `.env` and service-account JSON must not be committed (already git-ignored).
 - Use GitHub Actions Secrets for CI.
 - Rotate leaked keys immediately.
@@ -148,4 +155,5 @@ Vite + React + TypeScript • Tailwind • viem/wagmi • OnchainKit • Express
 - Enable GitHub’s secret scanning and CodeQL (workflows included).
 
 ## License
+
 Creative Commons BY‑NC‑SA 4.0. See `LICENSE.md`.

firebase.json

@@ -0,0 +1,14 @@
+{
+  "hosting": {
+    "site": "yourecipegenerator",
+    "public": "dist",
+    "ignore": [
+      "firebase.json",
+      "**/.*",
+      "**/node_modules/**"
+    ],
+    "rewrites": [
+      { "source": "**", "destination": "/index.html" }
+    ]
+  }
+}

package-lock.json

@@ -20,7 +20,7 @@
     "cors": "^2.8.5",
     "dotenv": "^16.4.5",
     "express": "^5.1.0",
-    "firebase": "^12.4.0",
+    "firebase": "^12.5.0",
     "firebase-admin": "^13.5.0",
     "helmet": "^7.1.0",
     "jsonwebtoken": "^9.0.2",