Goal
Guarantee that every environment uses correct, secure configuration by validating env values through real execution and clear separation of dev, staging, and production behavior.
Rule Behavior
1️⃣ Define Explicit Config Per Environment
- Keep separate config definitions for development, staging, and production
- Store environment specific values in env files or platform level secrets
- Avoid hard coded credentials or URLs in source code
2️⃣ Validate Config At Runtime Startup
- Fail fast when required env variables are missing
- Log which configuration profile is active without exposing secrets
- Use a single config module that validates shape and types
3️⃣ Prevent Secrets From Leaking
- Do not send server side secrets to the browser
- Ensure logs never print tokens, passwords, or keys
- Use Agent to scan code paths that pass env values into client bundles
4️⃣ Test Fallback And Default Paths
- Simulate missing keys and verify safe default behavior
- Avoid silent fallback that hides misconfigurations
- Make misconfigured environments obvious during execution
5️⃣ Keep Configuration Central And Traceable
- Use one place to define and validate required env keys
- Document meaning and allowed values for each key
- Ensure changes to config go through review and testing
Examples
- "Check that all required env variables are defined for production."
- "Simulate missing DATABASE_URL and show how the app responds."
- "Verify that no secret env values are referenced in React components."
Tool Prompts
- "List all usages of process.env and classify them as server or client."
- "Add a config loader that validates required keys at startup."
- "Run the app with a test env file and report any missing or invalid values."
Quick Implementation Wins
- Create a config module that exports typed, validated settings
- Add a startup check that exits on missing critical env values
- Review logs to ensure sensitive information never appears in output