security(env): setup build-time key sanitation to block private crede…

[VIDYANKSHINI]

Summary

Implemented a pre-build environment validation check that blocks the compiler if private credentials accidentally leak into the public Next.js bundle.

Closes #1462

---

Type of Change

• Bug fix
• New feature
• Documentation update
• Refactor / code cleanup

---

Changes Made

• Created scripts/validate-env.js which loads environment variables and scans all keys prefixed with NEXT_PUBLIC_.
• Added strict checks to halt compilation if private substrings (e.g., private_key, supabase_secret, database_url, admin_key, service_role) or raw RSA key values are detected in public variables.
• Updated the build script in package.json to prepend the validation script execution (node scripts/validate-env.js && next build).

---

How to Test

1. Add a dummy environment variable to your .env.local: NEXT_PUBLIC_DATABASE_URL=test_leak
2. Run npm run build
3. Verify that the build halts immediately with a 🚨 SECURITY ERROR stating that a potentially private secret leaked into a public variable.
4. Remove the dummy variable and verify that the build succeeds normally.

---

Screenshots (if UI change)

N/A

---

Checklist

• Linked issue in summary
• npm run lint passes locally
• No TypeScript errors (npm run type-check)
• Self-reviewed the diff

[vercel]

@VIDYANKSHINI is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a pre-build guard to prevent accidentally exposing private credentials via NEXT_PUBLIC_* environment variables during Next.js builds.

Changes:

• Introduce scripts/validate-env.js to load env files (Next.js-style) and scan NEXT_PUBLIC_* vars for blocked secret keywords / private key markers.
• Gate npm run build by running the validation script before next build.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
scripts/validate-env.js	New env validation script that fails the build on detected secret leakage via public env vars.
package.json	Runs env validation as part of the build pipeline before next build.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.