In src/config.py line 17:
ALLOW_UNSIGNED_WEBHOOKS: bool = os.getenv("ALLOW_UNSIGNED_WEBHOOKS", "").lower() == "true"The comment says "Never enable in production" but any non-empty truthy string enables it. This is too easy to accidentally trigger (e.g., setting it to "1" or "yes" in a dev environment that gets promoted).
Recommendation: Add a second gate — require both ALLOW_UNSIGNED_WEBHOOKS=true AND ENVIRONMENT=development (or a similar explicit opt-in). Log a prominent warning on startup when enabled.
In
src/config.pyline 17:The comment says "Never enable in production" but any non-empty truthy string enables it. This is too easy to accidentally trigger (e.g., setting it to "1" or "yes" in a dev environment that gets promoted).
Recommendation: Add a second gate — require both
ALLOW_UNSIGNED_WEBHOOKS=trueANDENVIRONMENT=development(or a similar explicit opt-in). Log a prominent warning on startup when enabled.