Remove frontend secret injection and document env safety

ilramdhan · ilramdhan · commit a77296799673 · 2026-03-04T19:40:07.000+07:00
diff --git a/README.md b/README.md
@@ -104,6 +104,9 @@ The project uses the following tables in Supabase:
     VITE_SUPABASE_ANON_KEY=your_supabase_anon_key
     ```
 
+    - [ ] Never expose non-`VITE_` secrets to frontend bundle
+
+
 4.  **Run the development server**
     ```bash
     npm run dev
diff --git a/api/wakatime.ts b/api/wakatime.ts
@@ -1,5 +1,5 @@
 export default async function handler(req, res) {
-  const apiKey = process.env.WAKATIME_API_KEY || process.env.VITE_WAKATIME_API_KEY;
+  const apiKey = process.env.WAKATIME_API_KEY;
 
   if (!apiKey) {
     return res.status(500).json({ error: 'Server Configuration Error: Missing API Key' });
diff --git a/vite.config.ts b/vite.config.ts
@@ -1,19 +1,14 @@
 import path from 'path';
-import { defineConfig, loadEnv } from 'vite';
+import { defineConfig } from 'vite';
 import react from '@vitejs/plugin-react';
 
-export default defineConfig(({ mode }) => {
-    const env = loadEnv(mode, process.cwd(), '');
+export default defineConfig(() => {
     return {
       server: {
         port: 3000,
         host: '0.0.0.0',
       },
       plugins: [react()],
-      define: {
-        'process.env.API_KEY': JSON.stringify(env.GEMINI_API_KEY),
-        'process.env.GEMINI_API_KEY': JSON.stringify(env.GEMINI_API_KEY)
-      },
       resolve: {
         alias: {
           '@': path.resolve(__dirname, '.'),
