Skip to content

Runtime secret placeholder validation breaks existing deployments #526

Description

@ChristianPavilonis

Problem

Commit 5d8d16f (#467) introduced runtime placeholder secret validation that rejects known placeholder values for synthetic.secret_key and publisher.proxy_secret at startup. The expanded placeholder list and case-insensitive matching now catches deployments that were previously working fine.

Expected Behavior

Deployments that worked before #467 should continue to work. Secret validation should only check that values are non-empty, not reject specific known strings.

Decision

The team decided this should be a no-fix for now — remove the runtime placeholder checks entirely while keeping the existing non-empty validation.

Affected Files

  • crates/common/src/settings.rs — placeholder constants, detection methods, reject_placeholder_secrets()
  • crates/common/src/settings_data.rs — runtime call to reject_placeholder_secrets()
  • crates/common/src/error.rsInsecureDefault error variant
  • crates/common/build.rs — comment about runtime deferral
  • docs/guide/configuration.md — placeholder rejection documentation

Metadata

Metadata

Labels

No labels
No labels

Type

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions