{ "steward": "react-config-steward", "project": "Azure-AI-RAG-CSharp-Semantic-Kernel-Functions", "runDate": "2026-03-21", "runId": "2026-03-21T00-00-00", "findings": [ { "id": "RCFG-ENVVAR-001", "title": "No .env.example documenting required variables", "severity": "notable", "category": "ENVVAR", "file": "src/web/", "description": "There is no .env.example or .env.sample file in src/web/. The only documentation of REACT_APP_API_HOST is informal prose in README.md. Developers cloning the repo have no machine-readable reference and tooling cannot validate completeness.", "recommendation": "Create src/web/.env.example with REACT_APP_API_HOST=http://localhost:8080 and a descriptive comment. Commit it to source control.", "status": "open" }, { "id": "RCFG-BUILD-001", "title": "Bicep App Service REACT_APP_API_HOST setting is ineffective for CRA static builds", "severity": "notable", "category": "BUILD", "file": "infra/app/web-app.bicep", "line": 27, "description": "infra/app/web-app.bicep sets REACT_APP_API_HOST as an Azure App Service application setting. CRA bakes process.env.REACT_APP_* into the static bundle at build time; runtime App Service settings have no effect. This creates a false sense of runtime configurability and may mislead operators into believing they can change the API URL without a rebuild.", "recommendation": "Remove the REACT_APP_API_HOST app setting from web-app.bicep and add a comment explaining that CRA variables are baked at build time by deploy_web.ps1. If runtime reconfigurability is needed, adopt a runtime config injection pattern (e.g., window._env_ via a served config.js).", "status": "open" }, { "id": "RCFG-APIURL-001", "title": "No fallback or startup validation for REACT_APP_API_HOST — undefined URL causes silent failure", "severity": "notable", "category": "APIURL", "file": "src/web/src/SupportAgent/Agent.js", "line": 29, "description": "Both fetch calls concatenate process.env.REACT_APP_API_HOST without a null/undefined check. If the variable is not defined at build time, the URL becomes the string 'undefined/chat', the fetch fails silently, and the user sees no error — the chat panel simply never initializes.", "recommendation": "Add a module-level check for REACT_APP_API_HOST and log an actionable error if it is undefined. Add .catch() handlers to handlePrompt and handleSession to surface network errors to the user.", "status": "open" }, { "id": "RCFG-ENVVAR-002", "title": "No .env.development file — local development requires manual .env creation with no guidance", "severity": "minor", "category": "ENVVAR", "file": "src/web/", "description": "CRA natively loads .env.development when running npm start. Without this file, developers must manually create a .env file before the application works locally. There is no automated default and no immediate error to guide them.", "recommendation": "Create src/web/.env.development with REACT_APP_API_HOST=http://localhost:8080 and commit it. This file contains no secrets and is not excluded by .gitignore.", "status": "open" }, { "id": "RCFG-ENVVAR-003", "title": "dotenv package listed in dependencies instead of devDependencies", "severity": "minor", "category": "ENVVAR", "file": "src/web/package.json", "line": 13, "description": "dotenv is listed as a runtime dependency in package.json. CRA handles .env files natively via react-scripts; the dotenv package is not imported in any source file and is unnecessary. Listing it in dependencies rather than devDependencies is misleading and adds dead weight.", "recommendation": "Remove dotenv from dependencies. If needed for tooling scripts, move it to devDependencies. Verify no source file imports it before removing.", "status": "open" }, { "id": "RCFG-BUILD-002", "title": "No .env.production default file — accidental build without API URL goes undetected", "severity": "minor", "category": "BUILD", "file": "src/web/", "description": "There is no .env.production file in src/web/. CRA loads this file during npm run build. If the build is run without deploy_web.ps1 (e.g., in a CI pipeline), REACT_APP_API_HOST will be undefined and the build will silently produce a broken artifact.", "recommendation": "Create src/web/.env.production as a placeholder with a comment explaining that REACT_APP_API_HOST must be supplied by the deploy pipeline before building. Commit it to document the intent.", "status": "open" }, { "id": "RCFG-ENVVAR-004", "title": "REACT_APP_ prefix used correctly for all environment variables", "severity": "info", "category": "ENVVAR", "file": "src/web/src/SupportAgent/Agent.js", "description": "All environment variable references in source code use the correct REACT_APP_ prefix required by CRA. No Vite-style or non-prefixed variables are present.", "recommendation": "No action required.", "status": "open" }, { "id": "RCFG-ENVVAR-005", "title": ".env and .env.*.local files correctly gitignored", "severity": "info", "category": "ENVVAR", "file": "src/web/.gitignore", "description": "src/web/.gitignore correctly excludes .env, .env.local, .env.development.local, .env.test.local, and .env.production.local. No .env files with real values are committed to source control.", "recommendation": "No action required.", "status": "open" }, { "id": "RCFG-BUILD-003", "title": "Deploy script correctly writes .env before building", "severity": "info", "category": "BUILD", "file": "infra/scripts/deploy_web.ps1", "line": 13, "description": "deploy_web.ps1 writes REACT_APP_API_HOST=$apiURL to src/web/.env before invoking npm run build. This is the correct pattern for CRA builds and ensures the production API URL is baked into the bundle.", "recommendation": "No action required.", "status": "open" } ], "summary": { "critical": 0, "notable": 3, "minor": 3, "info": 3, "total": 9 } }