Skip to content

docs: mark security.require_env as decorative in config.yaml#480

Merged
cgfixit merged 1 commit into
mainfrom
claude/cyclaw-optimize-config-comment
Jul 9, 2026
Merged

docs: mark security.require_env as decorative in config.yaml#480
cgfixit merged 1 commit into
mainfrom
claude/cyclaw-optimize-config-comment

Conversation

@cgfixit

@cgfixit cgfixit commented Jul 9, 2026

Copy link
Copy Markdown
Owner

What

Adds a comment above security.require_env in config.yaml noting that no production code reads it.

Why / benefit

Verified via repo-wide grep: require_env appears nowhere in production code, only mirrored in tests/conftest.py's mock-config shape as part of the test fixture surface. CLAUDE.md §4 already documents this as a known agent-facing trap ("assuming the server refuses to boot without GROK_API_KEY... security.require_env is decorative — no code reads it"), but config.yaml itself carried no comment saying so — an operator reading the config file directly had no way to know the key is inert.

Risk to monitor

None — comment-only change, no key/value touched, no behavior change. yaml.safe_load confirms the file still parses and require_env still resolves to ["GROK_API_KEY"].

Scan context

CyClaw-Optimize (ponytail + Karpathy + fable-protocol loaded). Finding #6 of an 8-finding scan; deduped against open PRs #473, #477, #415.


Generated by Claude Code

No production code reads require_env (verified repo-wide grep; it's mirrored
only in tests/conftest.py's mock-config shape). CLAUDE.md already documents
this as a known agent-facing trap, but an operator reading config.yaml
directly had no way to know the key is inert. Comment-only change.
@cgfixit cgfixit marked this pull request as ready for review July 9, 2026 19:29
@cgfixit cgfixit merged commit 84b76f7 into main Jul 9, 2026
29 checks passed
@cgfixit cgfixit deleted the claude/cyclaw-optimize-config-comment branch July 9, 2026 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants