🔒 Remove hardcoded Gemini API key from build by NITISH-R-G · Pull Request #82 · NITISH-R-G/Intelli-Credit-V2 · GitHub
Skip to content

🔒 Remove hardcoded Gemini API key from build#82

Draft
NITISH-R-G wants to merge 6 commits into
mainfrom
fix-hardcoded-gemini-key-15124981763219646591
Draft

🔒 Remove hardcoded Gemini API key from build#82
NITISH-R-G wants to merge 6 commits into
mainfrom
fix-hardcoded-gemini-key-15124981763219646591

Conversation

@NITISH-R-G

@NITISH-R-G NITISH-R-G commented Jun 9, 2026

Copy link
Copy Markdown
Owner

🎯 What: Removed the statically injected GEMINI_API_KEY from vite.config.ts and added a dynamic UI input in DataIngestion.tsx to handle the key client-side.
⚠️ Risk: Hardcoding the API key in the Vite build configuration exposes it to all users and can lead to unauthorized access and billing issues.
🛡️ Solution: Implemented a Bring-Your-Own-Key (BYOK) architecture by storing the key in the React App.tsx state and passing it down to the analysisService.ts for dynamic GoogleGenAI initialization. Tests were updated to reflect the new parameters.


PR created automatically by Jules for task 15124981763219646591 started by @NITISH-R-G

Summary by Sourcery

Remove build-time Gemini API key injection and switch to a client-supplied key passed through the UI and app state into analysis services.

New Features:

  • Add a Gemini API key input field to the data ingestion UI alongside the existing external bureau API key field.

Enhancements:

  • Propagate the Gemini API key through React state into the analysis service for dynamic GoogleGenAI initialization.
  • Update the data ingestion copy to reflect a broader API keys and integrations section.

Build:

  • Remove Vite configuration that defined the GEMINI_API_KEY at build time.

Tests:

  • Extend DataIngestion component tests to cover the new Gemini API key input and updated labels.
  • Update analysisService tests to pass the Gemini API key parameter into performAnalysis.

🎯 What: Removed the statically injected `GEMINI_API_KEY` from `vite.config.ts` and added a dynamic UI input in `DataIngestion.tsx` to handle the key client-side.
⚠️ Risk: Hardcoding the API key in the Vite build configuration exposes it to all users and can lead to unauthorized access and billing issues.
🛡️ Solution: Implemented a Bring-Your-Own-Key (BYOK) architecture by storing the key in the React `App.tsx` state and passing it down to the `analysisService.ts` for dynamic `GoogleGenAI` initialization. Tests were updated to reflect the new parameters.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

@vercel

vercel Bot commented Jun 9, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
intelli-credit-v2 Ready Ready Preview, Comment Jun 9, 2026 10:54pm

@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 9d919ace-a742-4530-a14f-f43a00cdeb67

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-hardcoded-gemini-key-15124981763219646591

Comment @coderabbitai help to get the list of available commands and usage tips.

@sourcery-ai

sourcery-ai Bot commented Jun 9, 2026

Copy link
Copy Markdown

Reviewer's Guide

Implements a Bring-Your-Own-Key flow for Gemini by removing the build-time GEMINI_API_KEY from Vite config, threading a geminiApiKey value through App state and DataIngestion UI into performAnalysis, and updating tests to validate the new props and function signatures.

Sequence diagram for BYOK Gemini API key flow

sequenceDiagram
  actor User
  participant DataIngestion
  participant App
  participant analysisService
  participant GoogleGenAI

  User->>DataIngestion: type Gemini API key
  DataIngestion->>App: setGeminiApiKey(geminiApiKey)
  User->>App: trigger performAnalysis
  App->>analysisService: performAnalysis(fileCache, apiMode, bureauApiKey, geminiApiKey, setLoading, setError, setAnalysis, setSources)
  analysisService->>GoogleGenAI: new GoogleGenAI(apiKey: geminiApiKey)
  GoogleGenAI-->>analysisService: model responses
  analysisService-->>App: setAnalysis(analysis)
  App-->>User: display analysis results
Loading

File-Level Changes

Change Details Files
Introduce BYOK Gemini API key handling via app state and the DataIngestion UI.
  • Extend DataIngestionProps with geminiApiKey and setGeminiApiKey callbacks and pass them through the component signature.
  • Replace the single-column bureau key section with a two-column layout that adds a Gemini API Key password input alongside the existing External Bureau API Key input.
  • Update the header label from 'Bureau Integrations' to 'API Keys & Integrations'.
src/components/DataIngestion.tsx
Update DataIngestion component tests for the new Gemini key UI and label changes.
  • Augment defaultProps in the test with geminiApiKey and setGeminiApiKey mocks.
  • Adjust expectations to assert the new header text and presence of both Gemini and External Bureau API key labels.
  • Add an interaction test that changes the Gemini key input and asserts setGeminiApiKey is called with the new value.
src/components/__tests__/DataIngestion.test.tsx
Thread geminiApiKey through App state into performAnalysis and the DataIngestion component.
  • Add geminiApiKey and setGeminiApiKey useState hooks to App.
  • Pass geminiApiKey into performAnalysis along with existing arguments.
  • Prop-drill geminiApiKey and setGeminiApiKey from App into the DataIngestion component.
src/App.tsx
Use a runtime-supplied Gemini API key in performAnalysis instead of a build-time environment variable.
  • Extend the performAnalysis function signature to accept a geminiApiKey parameter.
  • Initialize GoogleGenAI with the geminiApiKey argument instead of process.env.GEMINI_API_KEY.
src/services/analysisService.ts
Align analysis service tests with the new performAnalysis signature that includes geminiApiKey.
  • Update all performAnalysis invocations in tests to pass a mockGeminiKey value in the correct argument position.
src/services/__tests__/analysisService.test.ts
Remove build-time injection of GEMINI_API_KEY from Vite configuration to avoid exposing the key in the bundle.
  • Delete the define block that mapped process.env.GEMINI_API_KEY into the client bundle.
vite.config.ts
metadata.json

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

…, replace console logs

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
@github-actions github-actions Bot added documentation Improvements or additions to documentation github-actions backend labels Jun 9, 2026
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

GEMINI_API_KEY is not set. Skipping real AI review generation.

NITISH-R-G and others added 2 commits June 9, 2026 22:52
…, replace console logs

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
@sonarqubecloud

sonarqubecloud Bot commented Jun 9, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend documentation Improvements or additions to documentation frontend github-actions

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant