We want to replace .env file support by a layered approach with secrets put into config and load secrets from env variables takes precendence. Error if neither is present. A Claude review of the approach added the following points: Use a separate, gitignored config overlay for local dev secrets (e.g. config.local.yaml merged over config.yaml) rather than embedding secret fields in the base config struct path. Keeps the separation clean.
Add a startup validation function that checks every required secret resolves to a non-empty string, reports all missing ones at once (not just the first), and logs the source of each secret at debug level (resolved DB_PASSWORD from environment vs from config).
Explicitly block config-sourced secrets in production with a runtime guard, not just documentation.
Document the resolution order in the README and in a comment near the resolution logic — future maintainers will thank you. .  Analyse the situation and make a plan.