feat: add hardcoded + environment variable code verification

Implemented flexible access code verification with two methods:

Method 1 - Hardcoded List (Option 2):
- VALID_CODES array in ApiKeySettings.tsx
- Includes expiration dates and descriptions
- Perfect for permanent/special access codes
- Example codes: 123-4567-890, 999-8888-777, 555-1234-999

Method 2 - Environment Variables (Option 3):
- VITE_VALID_ACCESS_CODES environment variable
- Comma-separated list of codes
- No expiration dates (unlimited validity)
- Easy to update without code changes

Features:
- Validates against both lists
- Checks expiration dates for hardcoded codes
- Clear validation messages with expiry info
- Added .env.example with configuration examples

Benefits:
- Maximum flexibility for code management
- Can combine both methods simultaneously
- No backend required (fully client-side)
- Easy to manage codes via environment variables

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: KevenWMarkham

.env.example

@@ -1,2 +1,14 @@
-# Frontend API URL
-VITE_API_URL=http://localhost:3000/api
+# Gemini API Configuration
+# Your developer API key for Gemini (used in code/paid modes)
+VITE_GEMINI_API_KEY=your-api-key-here
+
+# Access Code Verification (Option 3)
+# Comma-separated list of valid access codes
+# These codes will be accepted in addition to the hardcoded VALID_CODES list
+# Example: VITE_VALID_ACCESS_CODES=123-4567-890,999-8888-777,555-1234-999
+VITE_VALID_ACCESS_CODES=
+
+# Code Verification API (Option 1 - for backend verification)
+# URL for backend API endpoint that verifies access codes
+# Example: VITE_CODE_VERIFY_URL=https://your-api.com/api/verify-code
+#VITE_CODE_VERIFY_URL=

src/components/ApiKeySettings.tsx

@@ -34,6 +34,34 @@ interface ApiKeySettingsProps {
 const API_KEY_STORAGE_KEY = 'gemini_api_config'
 const CODE_PATTERN = /^\d{3}-\d{4}-\d{3}$/ // Format: 000-0000-000
 
+// Valid access codes with expiration dates and descriptions
+// Option 2: Hardcoded list (for quick testing/permanent codes)
+const VALID_CODES = [
+  {
+    code: '123-4567-890',
+    expiresAt: '2025-12-31',
+    description: 'Beta Tester Access',
+  },
+  {
+    code: '999-8888-777',
+    expiresAt: '2025-06-30',
+    description: 'Promotional Code',
+  },
+  {
+    code: '555-1234-999',
+    expiresAt: null,
+    description: 'Lifetime Access',
+  },
+]
+
+// Option 3: Load additional codes from environment variable
+// Set VITE_VALID_ACCESS_CODES=123-4567-890,999-8888-777,555-1234-999 in .env
+const getValidCodesFromEnv = (): string[] => {
+  const envCodes = import.meta.env.VITE_VALID_ACCESS_CODES
+  if (!envCodes) return []
+  return envCodes.split(',').map((code: string) => code.trim())
+}
+
 export function ApiKeySettings({
   isOpen,
   onClose,
@@ -94,11 +122,45 @@ export function ApiKeySettings({
       return false
     }
 
-    // Code format is valid - mark as valid
-    // In a production app, you would verify this code against a database
-    setValidationStatus('valid')
-    setValidationMessage('Access code format is valid!')
-    return true
+    // Check Option 2: Hardcoded list with expiration dates
+    const validCode = VALID_CODES.find(c => c.code === accessCode)
+
+    if (validCode) {
+      // Check if code is expired
+      if (validCode.expiresAt) {
+        const expiryDate = new Date(validCode.expiresAt)
+        if (expiryDate < new Date()) {
+          setValidationStatus('invalid')
+          setValidationMessage('This access code has expired.')
+          return false
+        }
+      }
+
+      // Code is valid!
+      setValidationStatus('valid')
+      const expiryMessage = validCode.expiresAt
+        ? ` Valid until ${new Date(validCode.expiresAt).toLocaleDateString()}.`
+        : ' No expiration.'
+      setValidationMessage(
+        `Access code verified! ${validCode.description}.${expiryMessage}`
+      )
+      return true
+    }
+
+    // Check Option 3: Environment variable codes (no expiration)
+    const envCodes = getValidCodesFromEnv()
+    if (envCodes.includes(accessCode)) {
+      setValidationStatus('valid')
+      setValidationMessage('Access code verified! No expiration.')
+      return true
+    }
+
+    // Code not found in either list
+    setValidationStatus('invalid')
+    setValidationMessage(
+      'Invalid access code. Please contact support for a valid code.'
+    )
+    return false
   }
 
   const validateApiKey = async () => {