cube-client-module-level-secret-read-breaks-prod
Reading CUBEJS_API_SECRET at module import time with a dev fallback means the dev key is baked in before runtime env vars apply. Refactor to a lazy _cube_api_secret() function called at JWT-sign time that hard-fails in production if the dev default is detected. Module-level reads with dev fallbacks are a silent prod-boot misconfiguration class.