fixing some bugs and cleaning the code

[KevinRusu]

Addresses a set of bugs and hardening issues found during a code audit of the FastAPI backend:

• Startup validation — server now refuses to start if USE_MOCK=false and BEACON_API_KEY is not set; logs a clear warning when running authless in dev/mock mode. Previously, misconfigurations were only discovered on the first live request.
• Fix unreachable error handler — the "Set USE_MOCK=true" message could never appear because the code caught NotImplementedError but GeminiProvider raised RuntimeError. Introduced a shared ProviderConfigError type so the catch works correctly.
• Timing-safe auth — replaced != key comparison with secrets.compare_digest to prevent timing attacks.
• Log privacy — user domains no longer logged at INFO level (browsing history on the server). Verdict + score stay at INFO; domain moves to DEBUG.
• Mock score pass-through — MockProvider now mirrors the real provider's score range instead of returning fixed 9/5/1 values, so dev mode exercises the full pipeline.
• Configurable Gemini model — model name now reads from GEMINI_MODEL env var (default gemini-2.5-flash-lite) so upgrades don't require a code change.
• CORS hardening — allow_headers narrowed to the two headers the extension actually sends; origins now configurable via ALLOWED_ORIGINS env var.
• Remove phantom PROVIDER env var (was documented in .env.example but never read by any code)
• Simplified Dockerfile — collapsed redundant identical two-stage build into one stage.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Improve production-readiness of the API by tightening configuration validation, security defaults, and provider configurability.

Changes:

• Add startup config validation and a dedicated ProviderConfigError for provider misconfiguration.
• Make Gemini model configurable via GEMINI_MODEL and improve missing-key guidance.
• Harden auth comparison, tighten CORS settings, and simplify the Dockerfile.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
api/providers/mock_provider.py	Adjust mock scoring/reasons to align output with heuristic inputs.
api/providers/gemini_provider.py	Add configurable model selection and raise typed config errors.
api/main.py	Add fail-fast startup validation, adjust CORS, and refine logging/error handling.
api/exceptions.py	Introduce ProviderConfigError for missing provider configuration.
api/auth.py	Use constant-time comparison for API key validation.
api/README.md	Document new env vars and updated production-mode requirements.
api/Dockerfile	Remove redundant multi-stage build.
api/.env.example	Update example env vars (model/origins).
.gitignore	Ignore additional generated/output directories.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.