cube-client-module-level-import-dev-fallback-dangerous

Reading CUBEJS_API_SECRET at module import time with a dev fallback string is doubly dangerous: module-level reads don’t respect runtime env changes, and the dev fallback is a publicly known value. In production this would sign real JWTs with a compromised secret. Fix: lazy _cube_api_secret() function that reads at call time and raises hard in production if the dev fallback is detected.

Related

• module-level-env-reads-with-dev-fallback-bypass-runtime-conf
• cube-client-module-level-secret-read-breaks-prod
• python-module-level-env-read-bypasses-prod-safety
• module-level-env-reads-bypass-runtime-env-in-python
• snowflake
• echarts-chart-renderer-flat-row-shape-assumption