ADR 0009: Fail-fast env validation in prod/stage

Status:

Accepted

Context

Insecure development defaults - a wildcard CORS origin, a placeholder secret, a fallback database name - leaking into a protected deployment is a classic “works in dev, leaks in prod” hazard that is invisible until it is exploited.

Decision

Module-level validators run at import in app/core/config.py and raise ValueError (blocking boot) only when ENV is prod or stage: rejecting "*" in CORS, rejecting an empty SECRET_KEY or an empty/placeholder KEYCLOAK_CLIENT_SECRET, requiring DB_NAME (the old game_dev_db fallback was removed), and rejecting malformed trusted-proxy CIDRs. In dev and test the validators early-return.

Consequences

  • Misconfiguration becomes a loud startup failure instead of a silent runtime leak.

  • prod/stage genuinely require these variables to be set; dev and the test suite are unaffected.

See also