# Env Coverage Audit — 2026-05-13

State of EXPO_PUBLIC_* vars across the four layers that affect OTA bundles & native builds.

Layers:
- **GH-vars**: GitHub Actions repo VARIABLES (read by `_eas-update.yml` via `toJson(vars)`)
- **EAS-prod**: EAS env `production`
- **EAS-prev**: EAS env `preview`
- **EAS-dev**: EAS env `development`

| Var | GH-vars | EAS-prod | EAS-prev | EAS-dev |
|---|---|---|---|---|
| EXPO_PUBLIC_API_BASE_URL | ✓ (OLD GAE) | ❌ MISSING | ✓ | ✓ |
| EXPO_PUBLIC_GOOGLE_IOS_URL_SCHEME_DEV | ✓ | ❌ MISSING | ✓ | ✓ |
| EXPO_PUBLIC_GOOGLE_IOS_URL_SCHEME_PREVIEW | ✓ | ❌ MISSING | ✓ | ❌ MISSING |
| EXPO_PUBLIC_GOOGLE_IOS_URL_SCHEME_PROD | ✓ | ✓ | ✓ | ❌ MISSING |
| EXPO_PUBLIC_GOOGLE_WEB_CLIENT_ID | ✓ | ✓ | ✓ | ✓ |
| EXPO_PUBLIC_POSTHOG_API_KEY | ✓ | ✓ (added today) | ✓ | ✓ |
| EXPO_PUBLIC_POSTHOG_HOST | ✓ | ✓ (added today) | ✓ | ✓ |
| EXPO_PUBLIC_SUPABASE_ANON_KEY | ✓ (new, today) | ✓ (new) | ✓ (new) | ✓ (new) |
| EXPO_PUBLIC_SUPABASE_URL | ✓ (new, today) | ✓ (new) | ✓ (new) | ✓ (new) |
| EXPO_PUBLIC_WS_BASE_URL | ✓ | ❌ MISSING | ✓ | ✓ |

## Today's remediation

1. `gh variable set EXPO_PUBLIC_SUPABASE_URL` → new Supabase URL.
2. `gh variable set EXPO_PUBLIC_SUPABASE_ANON_KEY` → new Supabase anon key.
3. `eas env:create production EXPO_PUBLIC_POSTHOG_API_KEY` (sensitive).
4. `eas env:create production EXPO_PUBLIC_POSTHOG_HOST` (plaintext).
5. Republished staging: update group `14d1db59-24f3-49e0-9efa-8486e53016ca` (branch staging, runtime 1.0.1, commit a11e64f5*, with `--environment production`).

## Remaining gaps (NOT auto-fixed — values are context-specific)

**EAS production env** still missing:
- `EXPO_PUBLIC_API_BASE_URL` — currently OLD GAE in GH-vars; production should ultimately be its own prod GAE/Cloud Run URL. Pending Q1/Q2/Q3 backend URL switch decision.
- `EXPO_PUBLIC_WS_BASE_URL` — same as above; preview value points to asia-southeast1 Cloud Run.
- `EXPO_PUBLIC_GOOGLE_IOS_URL_SCHEME_DEV` / `PREVIEW` — probably intentional (production shouldn't need dev/preview iOS schemes). Leave.

**EAS development env** missing:
- `EXPO_PUBLIC_GOOGLE_IOS_URL_SCHEME_PROD` — probably intentional. Leave.
- `EXPO_PUBLIC_GOOGLE_IOS_URL_SCHEME_PREVIEW` — probably intentional. Leave.

## Standing rule going forward (per user msg 3555)

When running `eas update` in a worktree, ALWAYS pass `--environment <preview|development|production>` matching target context. Worktrees may not have full `.env.local`. Use `eas env:pull` to sync if local code testing needs the values.

## Why the previous staging republish (1fa53d45) appeared to ship missing PostHog

Most likely: the prior manual republish ran without `--environment` flag, so it relied on `.env.local` in cwd. If cwd was a worktree with incomplete `.env.local` (e.g. `stock-detail-header` has none) Metro would inline `''` for PostHog. New republish (`14d1db59`) uses `--environment production`, which now has PostHog populated.