fix(electron): suppress verbose startup logs in Electron mode

[airplne]

Summary

• Add quiet: true to dotenv config in Electron main process
• Set AUTOMAKER_ELECTRON and AUTOMAKER_HIDE_API_KEY env vars for server
• Suppress API key banner when spawned by Electron (auth is automatic)
• Remove partial Anthropic key logging for security

Test plan

• Electron mode: No dotenv injection message, no API key banner box
• Web mode: API key banner still displays correctly
• Codex verification passed

Files changed

• apps/ui/src/main.ts (2 changes)
• apps/server/src/routes/app-spec/common.ts (1 change)

🤖 Generated with Claude Code

Summary by CodeRabbit

Bug Fixes

• Updated API key logging to display only authentication status (SET or NOT SET) instead of exposing actual key values.
• Implemented automatic authentication handling when running in Electron application environments.
• Reduced startup process log verbosity for improved initialization clarity and cleaner console output.
• Added environment-based controls for authentication banner visibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Security and logging enhancements suppress API key exposure by removing masked key displays from logs and adding environment flags (AUTOMAKER_ELECTRON, AUTOMAKER_HIDE_API_KEY) to indicate Electron execution context and suppress authentication banners in the backend.

Changes

Cohort / File(s)	Summary
Auth & Logging Security apps/server/src/routes/app-spec/common.ts, apps/ui/src/main.ts	Removes API key value from logs (now shows only "SET"/"NOT SET" status); adds AUTOMAKER_ELECTRON: "true" and AUTOMAKER_HIDE_API_KEY: "true" environment variables to server startup in both dev and production contexts; enables quiet mode for dotenv config

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• adding more security to api endpoints to require api token for all ac… #321: Introduces AUTOMAKER_HIDE_API_KEY environment variable and suppresses API key exposure in server startup logging, directly aligned with this PR's auth/logging behavior changes.
• fix: add cross-platform Node.js executable finder for desktop launches #208: Modifies apps/ui/src/main.ts startup environment handling, related through shared file changes and server startup context configuration.

Suggested labels

Enhancement, Testers-Requested

Poem

🐰 A rabbit's ode to secure secrets:

Keys tucked away, no more exposed,
"SET" or "NOT SET," the logs now composed,
Electrons whisper their context so clear,
While banners stay silent—hush, no fear!
The app runs safer, a burrow so tight. 🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: suppressing verbose startup logs in Electron mode through dotenv quiet mode and API key banner suppression.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @airplne, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the Electron application's startup experience and security posture. It streamlines the console output by quieting dotenv messages, ensures a cleaner UI by suppressing the API key banner when running in Electron where authentication is automatic, and enhances security by preventing partial API key values from being logged.

Highlights

• Suppress Verbose Dotenv Logs: The dotenv configuration in the Electron main process now includes quiet: true to prevent verbose output during application startup.
• Electron Environment Variables: New environment variables, AUTOMAKER_ELECTRON and AUTOMAKER_HIDE_API_KEY, are set when the server is spawned by Electron. This signals the Electron context and suppresses the API key banner, as authentication is handled automatically.
• Enhanced API Key Security: Partial logging of the ANTHROPIC_API_KEY (first 20 characters) has been removed from the server's authentication status logs, improving security by only indicating if the key is 'SET' or 'NOT SET'.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI Agents

In @apps/ui/src/main.ts:
- Around line 488-491: AUTOMAKER_ELECTRON is defined in the client but not used
by the server; either remove the AUTOMAKER_ELECTRON entry from the client config
in main.ts or add server-side consumption by reading
process.env.AUTOMAKER_ELECTRON and applying the appropriate behavior (e.g.,
similar to how AUTOMAKER_HIDE_API_KEY is handled in the auth logic) so the
server recognizes an Electron execution context; update the server auth/config
code to check process.env.AUTOMAKER_ELECTRON (and treat the string 'true'
accordingly) or delete the unused constant from the client to keep config
minimal.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fe7bc95 and 52e2d4e.

📒 Files selected for processing (2)

• apps/server/src/routes/app-spec/common.ts
• apps/ui/src/main.ts

🧰 Additional context used

📓 Path-based instructions (3)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Always import from shared packages (@automaker/*), never from old relative paths

Files:

• apps/server/src/routes/app-spec/common.ts
• apps/ui/src/main.ts

apps/server/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use createEventEmitter() from lib/events.ts for all server operations to emit events that stream to frontend via WebSocket

Files:

• apps/server/src/routes/app-spec/common.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use resolveModelString() from @automaker/model-resolver to convert model aliases (haiku, sonnet, opus) to full model names

Files:

• apps/server/src/routes/app-spec/common.ts
• apps/ui/src/main.ts

🔇 Additional comments (2)

apps/server/src/routes/app-spec/common.ts (1)

38-38: Security improvement: API key redaction implemented correctly.

Changing from logging the API key value to logging "SET"/"NOT SET" eliminates the risk of exposing sensitive credentials in logs while preserving debugging functionality.

apps/ui/src/main.ts (1)

50-50: LGTM: Dotenv quiet mode reduces startup verbosity.

Adding quiet: true appropriately suppresses dotenv's injection messages, aligning with the PR objective to reduce verbose startup logs in Electron mode.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that AUTOMAKER_ELECTRON and AUTOMAKER_HIDE_API_KEY are consumed by the server.

# Search for AUTOMAKER_ELECTRON usage in server code
echo "=== Searching for AUTOMAKER_ELECTRON usage ==="
rg -n --type=ts --type=js -C3 'AUTOMAKER_ELECTRON' apps/server/

echo ""
echo "=== Searching for AUTOMAKER_HIDE_API_KEY usage ==="
rg -n --type=ts --type=js -C3 'AUTOMAKER_HIDE_API_KEY' apps/server/

Repository: AutoMaker-Org/automaker

Length of output: 1597

---

Remove unused AUTOMAKER_ELECTRON environment variable or implement server-side consumption.

The AUTOMAKER_HIDE_API_KEY variable is properly consumed in apps/server/src/lib/auth.ts (line 134) to suppress the API key banner when set to 'true'. However, AUTOMAKER_ELECTRON is set in the client but is not referenced anywhere in the server code. Either implement server-side logic to consume this variable to recognize the Electron execution context, or remove the unused environment variable from the client configuration.

🤖 Prompt for AI Agents

In @apps/ui/src/main.ts around lines 488 - 491, AUTOMAKER_ELECTRON is defined in
the client but not used by the server; either remove the AUTOMAKER_ELECTRON
entry from the client config in main.ts or add server-side consumption by
reading process.env.AUTOMAKER_ELECTRON and applying the appropriate behavior
(e.g., similar to how AUTOMAKER_HIDE_API_KEY is handled in the auth logic) so
the server recognizes an Electron execution context; update the server
auth/config code to check process.env.AUTOMAKER_ELECTRON (and treat the string
'true' accordingly) or delete the unused constant from the client to keep config
minimal.

[gemini-code-assist]

Code Review

This pull request effectively suppresses verbose startup logs in Electron mode and enhances security by removing partial API key logging. The changes are clear and well-implemented. I've added one suggestion to improve maintainability and further harden security by using constants for environment variable names, which will help prevent potential issues from typos across different parts of the application.

[gemini-code-assist]

Using hardcoded strings for environment variable names like AUTOMAKER_ELECTRON and AUTOMAKER_HIDE_API_KEY is risky. A typo in AUTOMAKER_HIDE_API_KEY, for example, would cause the server to default to showing the API key in the logs, which is a security concern this PR aims to prevent.

To make this more robust, I recommend defining these keys as constants in a shared package (e.g., in a new constants file within @automaker/utils) and importing them both here and in the server code where they are read. This prevents typos and makes the code easier to maintain.