Skip to content

[config] Enforce SECRET_KEY only when serving HTTP, not on CLI#1152

Merged
frankrousseau merged 1 commit into
cgwire:mainfrom
frankrousseau:fix-secret-key-cli-guard
Jul 10, 2026
Merged

[config] Enforce SECRET_KEY only when serving HTTP, not on CLI#1152
frankrousseau merged 1 commit into
cgwire:mainfrom
frankrousseau:fix-secret-key-cli-guard

Conversation

@frankrousseau

Copy link
Copy Markdown
Contributor

Problems

  • The insecure-default SECRET_KEY guard ran at config import, so every zou CLI command (create-admin, init-db, ...) crashed with a RuntimeError when the variable was unset.

Solutions

  • Exempt CLI commands (they load zou.cli) alongside pytest; gunicorn and the dev server still refuse to boot with the public default.

The insecure-default SECRET_KEY guard ran at config import, so every zou
CLI command (create-admin, init-db, ...) crashed with a RuntimeError
when the variable was unset. CLI commands never sign JWTs, so exempt
them (they load zou.cli) alongside pytest, while gunicorn and the dev
server still refuse to boot with the public default.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@frankrousseau
frankrousseau merged commit aa70afa into cgwire:main Jul 10, 2026
14 checks passed
@frankrousseau
frankrousseau deleted the fix-secret-key-cli-guard branch July 10, 2026 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant