python-module-level-env-read-bypasses-prod-safety

Module-level os.getenv('SECRET', 'dev-fallback') calls in Python execute at import time before runtime env changes apply and before any production-safety validator runs. The dev fallback (often a publicly known key) silently wins. Refactor to a lazy accessor function _get_secret() called at use-time, and add an explicit check that rejects dev-default values when ENV=production.

Related

• module-level-env-reads-bypass-runtime-env-in-python
• module-level-env-reads-with-dev-fallback-bypass-runtime-conf
• docker
• pydantic-prod-safety-validator-rejects-dev-defaults-at-boot
• 2026-04-04-oracle-001-self-architecture-analysis
• cube-client-module-level-secret-read-breaks-prod
• cube-client-module-level-import-dev-fallback-dangerous