chore(env): harmonize example env files and fix OSV findings

[gaboesquivel]

• Add env-files cursor rule, block-secret-files/gitleaks/trufflehog patterns
• API: .env.defaults.example, .env.test.example; remove .env-sample
• Web/mobile/docu: aligned .env.*.example and docs
• pnpm overrides + @next/eslint-plugin-next for flatted, h3, next, socket.io-parser, undici

Summary by CodeRabbit

• Documentation

  • Updated development setup instructions across apps to reference standardized environment file templates and configurations.

• Chores

  • Upgraded Next.js to version 16.1.7 in web and documentation apps.
  • Updated various dependency versions for improved stability and security.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
basilic-next	Ready	Preview, Comment	Mar 23, 2026 9:06pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
basilic-docs	Ignored	Preview	Mar 23, 2026 9:06pm
basilic-fastify	Ignored	Preview	Mar 23, 2026 9:06pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: edd72254-816d-4cd3-bc15-c0534e5c0227

📥 Commits

Reviewing files that changed from the base of the PR and between bc7aa53 and 234f8be.

📒 Files selected for processing (3)

• .trufflehogignore
• apps/web/README.md
• scripts/README.md

✅ Files skipped from review due to trivial changes (3)

• apps/web/README.md
• .trufflehogignore
• scripts/README.md

---

Walkthrough

This PR standardizes environment file naming conventions across the monorepo by introducing a new Cursor rule that enforces .env.<qualifier>.example templates, updates secret scanning tools to recognize the new pattern, adjusts related documentation and scripts, and bumps minor Next.js versions.

Changes

Cohort / File(s)	Summary
Environment File Standardization Rule .cursor/rules/base/env-files.mdc	New Cursor rule establishing .env.<qualifier>.example as the canonical template naming pattern, defining workflow tied to createEnv Zod schemas, enforcing secrets/placeholder policies, and prescribing platform-specific and Next.js section ordering conventions.
Secret Scanning Configuration .gitleaks.toml, .trufflehogignore	Updated allowlist patterns from multiple explicit .env filenames to a single generalized regex (\.env\.[^/]+\.example$ for gitleaks; *.env.<segment>.example for trufflehog) and expanded environment-test exclusions to cover development/staging/production/test variants.
Script & Documentation Updates scripts/block-secret-files.mjs, scripts/README.md, apps/docu/content/docs/architecture/security.mdx	Aligned secret-file blocking logic and documentation with new .env.<qualifier>.example pattern, updated security best-practices guidance to reference the standardized template convention.
App Development Documentation apps/api/README.md, apps/web/README.md, apps/mobile/README.md, apps/docu/content/docs/development/index.mdx	Updated environment setup instructions to reference new template filenames (.env.defaults.example, .env.local.example) instead of prior patterns (.env-example, .env-sample).
Dependency Version Bumps apps/docu/package.json, apps/web/package.json, tools/eslint/package.json, package.json	Minor version updates to next from 16.1.6 to 16.1.7 and @next/eslint-plugin-next to match; added pnpm overrides for flatted, h3, socket.io-parser, and undici dependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• wip: ssr zustand hydration and coingecko token prices #38: Consolidates base environment rules and centralizes the lib/env.ts export pattern that serves as the source-of-truth for validated environment schemas referenced in the new env-files Cursor rule.
• feat: wallet markup and styles #34: Modifies secret-scanning configuration and env-template allowlist handling, overlapping with updates to .gitleaks.toml, .trufflehogignore, and secret-file blocking logic in this PR.

Poem

🐰 Hopping 'cross the monorepo with glee,
Templates now follow one melody,
.env.qualifier.example, so neat,
Secrets stay safe, the config complete!
From gitleaks to scripts, all aligned,
Standardization's a rabbit's best find!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objectives: harmonizing environment file naming patterns (.env..example convention) and fixing security scanning findings across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch env

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.trufflehogignore (1)

11-13: Pattern is redundant but adds clarity.

The new pattern .*\.env\.[^/]+\.example$ is technically redundant with the existing .*\.example$ pattern on line 11, which already matches any file ending in .example. However, keeping the explicit pattern documents the intended convention for env templates, so this is acceptable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.trufflehogignore around lines 11 - 13, The pattern
".*\.env\.[^/]+\.example$" is redundant because ".*\.example$" already matches
any file ending in ".example"; either remove the redundant pattern to simplify
the file or keep it but add an inline comment clarifying it's intentionally
explicit for env template files; update the .trufflehogignore so it contains
only ".*\.example$" (if removing) or keep both and add a comment like "#
explicit env template pattern" next to ".*\.env\.[^/]+\.example$" to document
intent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/web/README.md`:
- Line 98: The README references a non-existent `.env.local.example`; fix by
either adding a `.env.local.example` in apps/web containing example keys and
default values matching the schema in lib/env.ts (use the variable names and
expected formats from lib/env.ts) or edit apps/web/README.md to remove the
reference and instead point to lib/env.ts for the required environment variables
and examples; update the README line "Optional environment variables (see
`.env.local.example`):" to either reference the new example file or to say "see
lib/env.ts" so developers know where to find the env schema.

In `@docs/plans/env-file-harmonization.md`:
- Line 62: The documentation contains an absolute local path
"/home/gabo/code/vencura" which is machine-specific and should be removed;
update the reference implementation line to use a relative or generic path
(e.g., "repo-root" or "<your-repo-path>") and keep the file references
(apps/api/.env.defaults.example, .cursor/rules/base/env-files.mdc,
scripts/block-secret-files.mjs, web/mathler/mobile docu env files) so the
reference is portable and no local environment details are exposed.

In `@scripts/README.md`:
- Line 72: The .trufflehogignore file currently contains overbroad patterns
'.*\.example$' and '.*\.sample$' that exclude any .example/.sample files (not
just .env variants); remove those two catch-all patterns from .trufflehogignore
and instead explicitly allow only the intended env exceptions referenced in
README.md (the specific entries for .env.<qualifier>.example, .env.schema, and
.env.{development,staging,production,test}), then update .trufflehogignore so it
only lists those explicit .env variants and ensure README.md line mentioning
`.env` exceptions remains consistent with the tightened ignore rules.

---

Nitpick comments:
In @.trufflehogignore:
- Around line 11-13: The pattern ".*\.env\.[^/]+\.example$" is redundant because
".*\.example$" already matches any file ending in ".example"; either remove the
redundant pattern to simplify the file or keep it but add an inline comment
clarifying it's intentionally explicit for env template files; update the
.trufflehogignore so it contains only ".*\.example$" (if removing) or keep both
and add a comment like "# explicit env template pattern" next to
".*\.env\.[^/]+\.example$" to document intent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7c244ad2-3d2b-407d-a272-790d6d8347ba

📥 Commits

Reviewing files that changed from the base of the PR and between f89bca4 and bc7aa53.

⛔ Files ignored due to path filters (12)

• apps/api/.env-sample is excluded by !**/.env*
• apps/api/.env.defaults.example is excluded by !**/.env*
• apps/api/.env.test.example is excluded by !**/.env*
• apps/docu/.env.defaults.example is excluded by !**/.env*
• apps/docu/.env.development is excluded by !**/.env*
• apps/mobile/.env.defaults.example is excluded by !**/.env*
• apps/mobile/.env.example is excluded by !**/.env*
• apps/web/.env.development is excluded by !**/.env*
• apps/web/.env.local.example is excluded by !**/.env*
• apps/web/.env.production is excluded by !**/.env*
• apps/web/.env.staging is excluded by !**/.env*
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !**/pnpm-lock.yaml

📒 Files selected for processing (15)

• .cursor/rules/base/env-files.mdc
• .gitleaks.toml
• .trufflehogignore
• apps/api/README.md
• apps/docu/content/docs/architecture/security.mdx
• apps/docu/content/docs/development/index.mdx
• apps/docu/package.json
• apps/mobile/README.md
• apps/web/README.md
• apps/web/package.json
• docs/plans/env-file-harmonization.md
• package.json
• scripts/README.md
• scripts/block-secret-files.mjs
• tools/eslint/package.json