mirror of
https://github.com/ClusterCockpit/cc-backend
synced 2026-06-26 12:20:36 +02:00
moebiusband
173379c69e
Entire-Session: ff60049e-0295-4c11-91d2-df6328961aca Entire-Strategy: manual-commit Entire-Agent: Claude Code Ephemeral-branch: entire/3bfd3d0-e3b0c4
4 lines
969 B
Plaintext
4 lines
969 B
Plaintext
We want to replace .env file support by a layered approach with secrets put into config and load secrets from env variables takes precendence. Error if neither is present. A Claude review of the approach added the following points: Use a separate, gitignored config overlay for local dev secrets (e.g. config.local.yaml merged over config.yaml) rather than embedding secret fields in the base config struct path. Keeps the separation clean.
|
|
Add a startup validation function that checks every required secret resolves to a non-empty string, reports all missing ones at once (not just the first), and logs the source of each secret at debug level (resolved DB_PASSWORD from environment vs from config).
|
|
Explicitly block config-sourced secrets in production with a runtime guard, not just documentation.
|
|
Document the resolution order in the README and in a comment near the resolution logic — future maintainers will thank you. . Analyse the situation and make a plan. |