Security: Rename SUPABASE_SERVICE_ROLE_KEY to SERVICE_ROLE_KEY

- Rename environment variable across all Edge Functions
- Supabase CLI blocks secrets starting with SUPABASE_
- Update shared supabaseClient.ts and 20+ Edge Functions
- Allows proper secret rotation via: supabase secrets set SERVICE_ROLE_KEY=<key>

Security Context:
- GitGuardian detected exposed service_role JWT in repository
- Legacy JWT cannot be regenerated, must migrate to Secret API keys
- Removed exposed secrets from mobile/.env (not committed)

Next Steps:
1. Create new Secret API key in Supabase dashboard
2. Set secret: supabase secrets set SERVICE_ROLE_KEY=<new_key>
3. Deploy all Edge Functions
4. Revoke exposed API keys (OpenAI, Claude, Gemini, USDA)
5. Rotate OAuth secrets (Fitbit, Whoop)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: schwaaamp

supabase/functions/_shared/config.test.ts

@@ -24,7 +24,7 @@ Deno.test({
   fn: () => {
     const requiredVars = [
       "SUPABASE_URL",
-      "SUPABASE_SERVICE_ROLE_KEY",
+      "SERVICE_ROLE_KEY",
     ];
 
     const missing: string[] = [];
@@ -194,9 +194,9 @@ Deno.test({
 });
 
 Deno.test({
-  name: "SUPABASE_SERVICE_ROLE_KEY is not empty and has sufficient length",
+  name: "SERVICE_ROLE_KEY is not empty and has sufficient length",
   fn: () => {
-    const key = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY");
+    const key = Deno.env.get("SERVICE_ROLE_KEY");
 
     if (!key) {
       return;
@@ -205,7 +205,7 @@ Deno.test({
     assertEquals(
       key.length > 50,
       true,
-      "SUPABASE_SERVICE_ROLE_KEY appears too short"
+      "SERVICE_ROLE_KEY appears too short"
     );
   },
 });
@@ -290,7 +290,7 @@ Deno.test({
   fn: () => {
     const criticalVars = [
       "SUPABASE_URL",
-      "SUPABASE_SERVICE_ROLE_KEY",
+      "SERVICE_ROLE_KEY",
       "WHOOP_CLIENT_ID",
       "WHOOP_CLIENT_SECRET",
       "FITBIT_CLIENT_ID",
@@ -343,7 +343,7 @@ Deno.test({
 Deno.test({
   name: "SECURITY: Service role key is not accidentally exposed as anon key",
   fn: () => {
-    const serviceRoleKey = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY");
+    const serviceRoleKey = Deno.env.get("SERVICE_ROLE_KEY");
 
     if (!serviceRoleKey) {
       return;
@@ -354,14 +354,14 @@ Deno.test({
     assertEquals(
       serviceRoleKey.startsWith("eyJ"),
       true,
-      "SUPABASE_SERVICE_ROLE_KEY should be a JWT"
+      "SERVICE_ROLE_KEY should be a JWT"
     );
 
     // Service role key should be significantly long (at least 100 chars)
     assertEquals(
       serviceRoleKey.length > 100,
       true,
-      "SUPABASE_SERVICE_ROLE_KEY appears too short"
+      "SERVICE_ROLE_KEY appears too short"
     );
   },
 });
@@ -376,7 +376,7 @@ Deno.test({
     const allRequiredVars = [
       // Supabase
       "SUPABASE_URL",
-      "SUPABASE_SERVICE_ROLE_KEY",
+      "SERVICE_ROLE_KEY",
       // WHOOP
       "WHOOP_CLIENT_ID",
       "WHOOP_CLIENT_SECRET",

supabase/functions/_shared/oura-client.test.ts

@@ -10,7 +10,7 @@ const mockEnv = new Map<string, string>([
   ['OURA_CLIENT_SECRET', 'test-oura-client-secret'],
   ['OURA_WEBHOOK_SECRET', 'test-webhook-secret'],
   ['SUPABASE_URL', 'https://test-project.supabase.co'],
-  ['SUPABASE_SERVICE_ROLE_KEY', 'test-service-role-key'],
+  ['SERVICE_ROLE_KEY', 'test-service-role-key'],
 ]);
 
 // @ts-ignore - Mock Deno global

supabase/functions/_shared/supabaseClient.ts

@@ -19,10 +19,10 @@ export function createClient(): SupabaseClient {
   }
 
   const supabaseUrl = Deno.env.get('SUPABASE_URL');
-  const supabaseServiceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+  const supabaseServiceRoleKey = Deno.env.get('SERVICE_ROLE_KEY');
 
   if (!supabaseUrl || !supabaseServiceRoleKey) {
-    throw new Error('Missing SUPABASE_URL or SUPABASE_SERVICE_ROLE_KEY environment variables');
+    throw new Error('Missing SUPABASE_URL or SERVICE_ROLE_KEY environment variables');
   }
 
   supabaseClient = createSupabaseClient(supabaseUrl, supabaseServiceRoleKey, {

supabase/functions/caller-test/index.ts

@@ -22,12 +22,12 @@ Deno.serve(withLogging('caller-test', async (req: Request, logger: Logger) => {
   }
 
   const supabaseUrl = Deno.env.get('SUPABASE_URL');
-  const serviceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+  const serviceRoleKey = Deno.env.get('SERVICE_ROLE_KEY');
 
   if (!supabaseUrl || !serviceRoleKey) {
     return new Response(
       JSON.stringify({
-        error: 'Missing SUPABASE_URL or SUPABASE_SERVICE_ROLE_KEY',
+        error: 'Missing SUPABASE_URL or SERVICE_ROLE_KEY',
       }),
       { status: 500, headers: { 'Content-Type': 'application/json' } }
     );

supabase/functions/fitbit-auth-start/index.standalone.ts

@@ -15,7 +15,7 @@ const corsHeaders = {
 
 function createClient() {
   const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
-  const supabaseServiceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
+  const supabaseServiceRoleKey = Deno.env.get('SERVICE_ROLE_KEY')!;
   return createSupabaseClient(supabaseUrl, supabaseServiceRoleKey, {
     auth: { autoRefreshToken: false, persistSession: false },
   });

supabase/functions/fitbit-callback/index.standalone.ts

@@ -8,7 +8,7 @@ import { createClient as createSupabaseClient } from 'https://esm.sh/@supabase/s
 
 function createClient() {
   const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
-  const supabaseServiceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
+  const supabaseServiceRoleKey = Deno.env.get('SERVICE_ROLE_KEY')!;
   return createSupabaseClient(supabaseUrl, supabaseServiceRoleKey, {
     auth: { autoRefreshToken: false, persistSession: false },
   });
@@ -230,7 +230,7 @@ Deno.serve(async (req: Request) => {
 
     // Trigger initial backfill (fire-and-forget)
     const supabaseUrl = Deno.env.get('SUPABASE_URL');
-    const serviceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+    const serviceRoleKey = Deno.env.get('SERVICE_ROLE_KEY');
     if (supabaseUrl && serviceRoleKey) {
       fetch(`${supabaseUrl}/functions/v1/sync-fitbit`, {
         method: 'POST',

supabase/functions/fitbit-callback/index.ts

@@ -282,7 +282,7 @@ Deno.serve(async (req: Request) => {
 async function triggerInitialBackfill(userId: string, deviceId: string) {
   try {
     const supabaseUrl = Deno.env.get('SUPABASE_URL');
-    const serviceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+    const serviceRoleKey = Deno.env.get('SERVICE_ROLE_KEY');
 
     if (!supabaseUrl || !serviceRoleKey) {
       console.error('Missing Supabase configuration for backfill trigger');

supabase/functions/fitbit-webhook/index.standalone.ts

@@ -8,7 +8,7 @@ import { createClient as createSupabaseClient } from 'https://esm.sh/@supabase/s
 
 function createClient() {
   const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
-  const supabaseServiceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
+  const supabaseServiceRoleKey = Deno.env.get('SERVICE_ROLE_KEY')!;
   return createSupabaseClient(supabaseUrl, supabaseServiceRoleKey, {
     auth: { autoRefreshToken: false, persistSession: false },
   });
@@ -120,7 +120,7 @@ Deno.serve(async (req: Request) => {
 
       // Trigger sync (fire-and-forget)
       const supabaseUrl = Deno.env.get('SUPABASE_URL');
-      const serviceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+      const serviceRoleKey = Deno.env.get('SERVICE_ROLE_KEY');
 
       if (supabaseUrl && serviceRoleKey) {
         fetch(`${supabaseUrl}/functions/v1/sync-fitbit`, {

supabase/functions/fitbit-webhook/index.ts

@@ -212,7 +212,7 @@ async function triggerSync(
 ): Promise<void> {
   try {
     const supabaseUrl = Deno.env.get('SUPABASE_URL');
-    const serviceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+    const serviceRoleKey = Deno.env.get('SERVICE_ROLE_KEY');
 
     if (!supabaseUrl || !serviceRoleKey) {
       console.error('Missing Supabase configuration for sync trigger');

supabase/functions/function-to-function-auth.test.ts

@@ -22,10 +22,10 @@ Deno.test({
   name: 'BUG: Edge Function calling another Edge Function gets 401',
   async fn() {
     const supabaseUrl = Deno.env.get('SUPABASE_URL');
-    const serviceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+    const serviceRoleKey = Deno.env.get('SERVICE_ROLE_KEY');
 
     assertExists(supabaseUrl, 'SUPABASE_URL must be set');
-    assertExists(serviceRoleKey, 'SUPABASE_SERVICE_ROLE_KEY must be set');
+    assertExists(serviceRoleKey, 'SERVICE_ROLE_KEY must be set');
 
     console.log('\n🧪 Testing function-to-function authentication...\n');
 
@@ -92,10 +92,10 @@ Deno.test({
   name: 'CONTROL: Direct call to echo-test works (baseline)',
   async fn() {
     const supabaseUrl = Deno.env.get('SUPABASE_URL');
-    const serviceRoleKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+    const serviceRoleKey = Deno.env.get('SERVICE_ROLE_KEY');
 
     assertExists(supabaseUrl, 'SUPABASE_URL must be set');
-    assertExists(serviceRoleKey, 'SUPABASE_SERVICE_ROLE_KEY must be set');
+    assertExists(serviceRoleKey, 'SERVICE_ROLE_KEY must be set');
 
     const echoUrl = `${supabaseUrl}/functions/v1/echo-test`;
     const response = await fetch(echoUrl, {