⚙️ FC-26 Configuration Audit
Complete system configuration review — February 14, 2026
1. Environment Variables
Backend .env (active)
| Variable | Status | Value | In .env.example |
|---|---|---|---|
| SUPABASE_URL | SET | http://127.0.0.1:54321 | Yes |
| SUPABASE_SERVICE_ROLE_KEY | SET | *** | Yes (empty) |
| SUPABASE_ANON_KEY | SET | *** | Yes (commented) |
| OPENAI_API_KEY | SET | *** | Yes (empty) |
| OPENAI_VISION_MODEL | SET | gpt-5-nano | NO ⚠️ |
| LANGFUSE_SECRET_KEY | SET | *** | Yes (empty) |
| LANGFUSE_PUBLIC_KEY | SET | *** | Yes (empty) |
| LANGFUSE_HOST | SET | https://cloud.langfuse.com | Yes |
| GOOGLE_CLIENT_ID | SET | *** | Yes (empty) |
| GOOGLE_CLIENT_SECRET | SET | *** | Yes (empty) |
| ALLOW_HEADER_USER_ID | SET | true ⚠️ | Yes (commented) |
| SENTRY_DSN | MISSING | — | Yes (empty) |
Frontend .env
| Variable | Status | Value | In .env.example |
|---|---|---|---|
| VITE_API_BASE_URL | SET | http://localhost:3000 | Yes |
| VITE_GAMES_POLL_MS | SET | 60000 | Yes |
| VITE_SUPABASE_URL | SET | http://127.0.0.1:54321 | Yes |
| VITE_SUPABASE_ANON_KEY | SET | *** | Yes (empty) |
| VITE_POSTHOG_KEY | EMPTY | — | Yes (empty) |
| VITE_POSTHOG_HOST | MISSING | — | Yes |
| VITE_SENTRY_DSN | EMPTY | — | Yes (empty) |
| VITE_LANGFUSE_URL | EMPTY | — | Yes (empty) |
Undocumented Environment Variables
Warning: 10 environment variables found in code but not documented in .env.example
- RATE_LIMIT_ENABLED (rateLimiter.ts)
- RATE_LIMIT_WINDOW_MS (rateLimiter.ts)
- RATE_LIMIT_MAX_REQUESTS (rateLimiter.ts)
- RATE_LIMIT_BURST_MULTIPLIER (rateLimiter.ts)
- BILLING_AUTO_FREE_TIER (billingService.ts)
- INSIGHTS_AUDIENCE_MODE (audienceMode.ts)
- TENANT_ALLOWLIST (requestContext.ts)
- TENANT_STRICT_MODE (requestContext.ts)
- SETTINGS_ENCRYPTION_KEY (encryption.ts)
- TELEMETRY_OPS_TOKEN (telemetry/routes.ts)
2. AI / Model Configuration
Active Model
gpt-5-nano
via OPENAI_VISION_MODEL env var
Hardcoded Fallback
gpt-4o
Labs Pipeline Model
gpt-4o-mini
OpenAI Timeout
30,000ms
hardcoded in pageClassifier.ts
Model Pricing
| Model | Input $/1M | Output $/1M | Cached $/1M | Tier |
|---|---|---|---|---|
| gpt-5-nano | $0.05 | $0.40 | $0.01 | Economy ✅ |
| gpt-4o-mini | $0.15 | $0.60 | — | Economy |
| gpt-5-mini | $0.25 | $2.00 | $0.025 | Economy |
| gpt-4o | $2.50 | $10.00 | — | Standard |
| gpt-5.2 | $1.75 | $14.00 | $0.175 | Standard |
| gpt-4-turbo | $10.00 | $30.00 | — | Premium |
| gpt-5.2-pro | $21.00 | $168.00 | — | Premium |
Token Budgets (defaults)
Vision Extraction
20,000
Vision Pick
5,000
Header Extract
5,000
Phase Detection Features
2,500 each
Per-tab Stats
5,000 each
Max Output Tokens Cap
30,000
Reasoning Model Floor
10,000
Stats Extract Concurrency
4
3. Database Configuration
Active Database
Local Supabase
127.0.0.1:54321
PostgreSQL Version
17
Connection Pooling
DISABLED
(expected for dev)
RLS Status
Enabled (multi-tenant)
Total Migrations
133
Storage File Size Limit
50 MiB
Database Ports
| Service | Port | Description |
|---|---|---|
| Database | 54322 | PostgreSQL direct connection |
| REST API | 54321 | Supabase API endpoint |
| Studio UI | 54323 | Database management interface |
| Shadow | 54320 | Migration shadow database |
Warning: Seed file configured but seed.sql is MISSING
4. Video Processing Pipeline
Frame Extraction
Scan Interval
3s
Max Scan Frames
120
JPEG Quality (Scan)
qscale:v 2
JPEG Quality (Page Capture)
qscale:v 3
Output Format
JPEG
Page Capture Timing
Pre-phase Buffer
25,000ms
PAGE_CAPTURE_PRE_MS
Post-phase Buffer
95,000ms
PAGE_CAPTURE_POST_MS
Entry FPS
1.0
Tab Browsing FPS
0.5
Chase FPS
0.5
max 80 frames, 45,000ms duration
Extend Duration
30,000ms
Adaptive Density Capture
Scan FPS
1
Burst FPS
5
Burst Window
±6s
Max Frames/Phase
300
Likelihood Threshold
0.35
Clustering Thresholds
| Method | Threshold | Parameters |
|---|---|---|
| pHash Hamming | 8 | — |
| SSIM | 0.92 | downsample 256x144 |
| Histogram chi-square | 0.15 | bins 64 |
5. YouTube / Download Configuration
Cookies File
youtube_cookies.txt
both repo root and backend/
Download Format
bestvideo[ext=mp4]+bestaudio[ext=m4a]/best
Merge Output
mp4
Retries
3
Fragment retries: 3
Max Parallel Downloads
DB-configurable
Channel ID
UC_zGzTOa0En-MjArUymNZ9w
Note: OAuth redirect hardcoded to http://localhost:3000/api/youtube/oauth/callback
6. Server Configuration
Port
3000
via PORT env
Host
0.0.0.0
CORS
* (all origins) ⚠️
Body Size Limit
50 MiB
Rate Limiting
Auto (disabled in dev)
Auth Bypass
ALLOW_HEADER_USER_ID=true ⚠️
API Route Modules
21
Event Bus Concurrency
3
hardcoded
7. Frontend Configuration
Vite Dev Port
5173
API Proxy
/api → http://localhost:3000
TypeScript
strict mode
Tailwind CSS
v4
React Version
18.3
Router
react-router-dom 7.10
PostHog Analytics
Disabled
Sentry
Disabled
Games Poll Interval
60,000ms
8. Build / Deploy
| Component | Build Command | Status |
|---|---|---|
| Backend | tsc | Configured |
| Frontend | tsc && vite build | Configured |
| Test runner | Vitest | Configured |
| Pre-commit gate | npm run test:precommit | Configured |
| PR gate | npm run ready | Configured |
| Dockerfile | — | None |
| CI/CD | — | None |
| .nvmrc | — | None |
Monorepo Structure
Uses npm workspaces for managing frontend and backend dependencies
9. Key Issues & Recommendations
🔴 High Severity Issues
High
ALLOW_HEADER_USER_ID=true — Security bypass active, must be false in production
High
6 secrets in .env — Should use .env.local (gitignored) to prevent accidental commits
🟡 Medium Severity Issues
Medium
OPENAI_VISION_MODEL not in .env.example — Undocumented model override
Medium
CORS set to * — Needs restricting for production
Medium
Frontend .env localhost:3000 confusion — with Vite proxy configuration
🟢 Low Priority / Informational
- No CI/CD, Dockerfile, or .nvmrc
- seed.sql referenced but missing
- ~20 undocumented environment variables
- 180 debug env var call sites (well-structured but undocumented)
- Connection pooling disabled (expected for dev)
Top Recommendations
1. Add OPENAI_VISION_MODEL to .env.example
Document the model override variable to prevent configuration drift
2. Move secrets to .env.local
Use gitignored .env.local for sensitive values to prevent accidental commits
3. Document the ~20 undocumented env vars
Add all code-referenced environment variables to .env.example with descriptions
4. Pin Node.js version (.nvmrc)
Add .nvmrc file to ensure consistent Node.js version across environments
5. Restrict CORS for production
Replace wildcard CORS with specific allowed origins for production deployment
6. Make OPENAI_TIMEOUT_MS configurable
Move hardcoded 30,000ms timeout to environment variable
7. Remove deprecated ARTEFACT_LOCAL_ROOT
Clean up any references to deprecated configuration variables