cim_summary/backend/scripts/clean-env-secrets.sh

#!/bin/bash
# Remove secrets from .env file that should only be Firebase Secrets
# This prevents conflicts during deployment

set -e

if [ ! -f .env ]; then
  echo "No .env file found"
  exit 0
fi

# List of secrets to remove from .env
SECRETS=(
  "ANTHROPIC_API_KEY"
  "OPENAI_API_KEY"
  "OPENROUTER_API_KEY"
  "DATABASE_URL"
  "SUPABASE_SERVICE_KEY"
  "SUPABASE_ANON_KEY"
  "EMAIL_PASS"
)

echo "🧹 Cleaning secrets from .env file..."

BACKUP_FILE=".env.pre-clean-$(date +%Y%m%d-%H%M%S).bak"
cp .env "$BACKUP_FILE"
echo "📋 Backup created: $BACKUP_FILE"

REMOVED=0
for secret in "${SECRETS[@]}"; do
  if grep -q "^${secret}=" .env; then
    # Remove the line (including commented versions)
    sed -i.tmp "/^#*${secret}=/d" .env
    rm -f .env.tmp
    echo "  ✅ Removed ${secret}"
    REMOVED=$((REMOVED + 1))
  fi
done

if [ $REMOVED -gt 0 ]; then
  echo ""
  echo "✅ Removed ${REMOVED} secret(s) from .env"
  echo "💡 For local development, use: npm run sync-secrets"
else
  echo "✅ No secrets found in .env (already clean)"
  rm "$BACKUP_FILE"
fi