feat: add service-level auth token to email inbound flow

[sweetmantech]

Summary

• Added RECOUP_API_KEY constant to lib/const.ts (reads from process.env.RECOUP_API_KEY)
• Pass authToken: RECOUP_API_KEY in the ChatRequestBody built by validateNewEmailMemory, so the email agent gets MCP tools (sandbox, etc.) instead of zero tools
• Added test file validateNewEmailMemory.test.ts with 3 tests covering authToken presence, correct body shape, and duplicate detection

Test plan

• New test verifies chatRequestBody.authToken equals RECOUP_API_KEY
• All 137 test files pass (1136 tests)
• pnpm build succeeds with no type errors
• Set RECOUP_API_KEY env var in Vercel for the API project (same value as tasks)
• Send a test email to [email protected] requesting a sandbox command — agent should now use MCP tools

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Implemented API key-based authentication configuration for email processing workflows to enable secure credential management through environment settings.

[cursor]

You have run out of free Bugbot PR reviews for this billing cycle. This will reset on March 17.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
recoup-api	Ready	Preview	Feb 18, 2026 1:25am

[coderabbitai]

📝 Walkthrough

Walkthrough

Environment variable RECOUP_API_KEY is now exported as a constant in lib/const.ts with an empty string fallback. This constant is subsequently imported and propagated as an authToken parameter in the ChatRequestBody within the email validation memory module.

Changes

Cohort / File(s)	Summary
API Key Configuration lib/const.ts	Introduced new exported constant RECOUP_API_KEY reading from environment variable with empty string fallback.
Email Validation Integration lib/emails/inbound/validateNewEmailMemory.ts	Imported RECOUP_API_KEY and included it as authToken parameter in ChatRequestBody construction.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🔑 A key emerges from the env,
Through const it finds its way,
Into chatrooms where emails convene,
Auth tokens brightening the day! ✨

🚥 Pre-merge checks | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Solid & Clean Code	⚠️ Warning	RECOUP_API_KEY uses silent fallback to empty string instead of fail-fast pattern, violating consistency with PRIVY_PROJECT_SECRET and clean code principles.	Apply fail-fast pattern: throw descriptive error if RECOUP_API_KEY environment variable is missing, matching PRIVY_PROJECT_SECRET implementation for consistency and reliability.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sweetmantech/myc-4270-generate-a-service-level-auth-token-for-the-email-flow-so

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lib/const.ts`:
- Line 32: RECOUP_API_KEY currently defaults to an empty string which hides a
missing configuration; change its initialization to mirror the startup guard
used by PRIVY_PROJECT_SECRET by throwing an explicit Error when
process.env.RECOUP_API_KEY is not set (refer to the existing
PRIVY_PROJECT_SECRET pattern) so the app fails fast at startup instead of
silently using "" for RECOUP_API_KEY.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

RECOUP_API_KEY should fail fast when unset, not silently fall back to "".

PRIVY_PROJECT_SECRET on lines 3–5 guards against a missing env var at startup with an explicit throw. RECOUP_API_KEY is equally load-bearing in production — it's the service-level auth token that gates MCP tool access in the email inbound flow. Falling back to "" means the app starts up successfully even if this env var is never configured in Vercel, and every inbound email request will carry an empty authToken with no error signal — silently regressing to pre-PR, tool-less behavior. The PR description itself calls out configuring this env var as a manual step, making the silent-failure risk concrete.

Apply the same startup-guard pattern used by PRIVY_PROJECT_SECRET:

🛡️ Proposed fix: fail fast on missing RECOUP_API_KEY

+if (!process.env.RECOUP_API_KEY) {
+  throw new Error("RECOUP_API_KEY environment variable is required");
+}
+
-export const RECOUP_API_KEY = process.env.RECOUP_API_KEY || "";
+export const RECOUP_API_KEY = process.env.RECOUP_API_KEY;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	export const RECOUP_API_KEY = process.env.RECOUP_API_KEY || "";
	if (!process.env.RECOUP_API_KEY) {
	throw new Error("RECOUP_API_KEY environment variable is required");
	}
	export const RECOUP_API_KEY = process.env.RECOUP_API_KEY;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/const.ts` at line 32, RECOUP_API_KEY currently defaults to an empty
string which hides a missing configuration; change its initialization to mirror
the startup guard used by PRIVY_PROJECT_SECRET by throwing an explicit Error
when process.env.RECOUP_API_KEY is not set (refer to the existing
PRIVY_PROJECT_SECRET pattern) so the app fails fast at startup instead of
silently using "" for RECOUP_API_KEY.