ADR 0009: Fail-fast env validation in prod/stage¶
- Status:
Accepted
Context¶
Insecure development defaults - a wildcard CORS origin, a placeholder secret, a fallback database name - leaking into a protected deployment is a classic “works in dev, leaks in prod” hazard that is invisible until it is exploited.
Decision¶
Module-level validators run at import in app/core/config.py and raise
ValueError (blocking boot) only when ENV is prod or stage:
rejecting "*" in CORS, rejecting an empty SECRET_KEY or an
empty/placeholder KEYCLOAK_CLIENT_SECRET, requiring DB_NAME (the old
game_dev_db fallback was removed), and rejecting malformed trusted-proxy
CIDRs. In dev and test the validators early-return.
Consequences¶
Misconfiguration becomes a loud startup failure instead of a silent runtime leak.
prod/stagegenuinely require these variables to be set; dev and the test suite are unaffected.
See also¶
Security - “Secrets & fail-fast configuration”.
Configuration Reference - every variable these checks guard.