Validate config at startup, secrets in memory only. Never read config during requests, never store secrets in env vars. Use node-env-resolver for multi-source config.
Validates configuration at startup using Zod or node-env-resolver, failing fast for missing values. Loads secrets directly into memory from secret managers, never from environment variables.
/plugin marketplace add jagreehal/jagreehal-claude-skills/plugin install jagreehal-claude-skills@jagreehal-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Validate once at startup, fail fast, never leak secrets.
Configuration is a potential source of runtime errors. Validate at startup so failures happen immediately, not at 3 AM when a code path finally executes.
Use node-env-resolver for multi-source configuration with validation:
import { resolveAsync } from 'node-env-resolver';
import { processEnv } from 'node-env-resolver/resolvers';
import { postgres, string, number } from 'node-env-resolver/validators';
import { awsSecrets } from 'node-env-resolver-aws';
const config = await resolveAsync({
resolvers: [
// Non-sensitive config from process.env (safe)
[processEnv(), {
PORT: number({ default: 3000 }),
NODE_ENV: ['development', 'production'] as const,
}],
// Secrets loaded directly into memory from AWS (never touch process.env)
[awsSecrets({ secretId: 'my-app' }), {
DATABASE_URL: postgres(),
API_KEY: string(),
}],
],
options: {
preventProcessEnvWrite: true, // Secrets never touch process.env
},
});
Alternative: Use Zod directly for simpler setups:
// config/schema.ts
import { z } from 'zod';
const ConfigSchema = z.object({
port: z.coerce.number().min(1).max(65535),
database: z.object({
host: z.string().min(1),
port: z.coerce.number(),
name: z.string().min(1),
}),
redis: z.object({
url: z.string().url(),
}),
logLevel: z.enum(['debug', 'info', 'warn', 'error']),
});
export type Config = z.infer<typeof ConfigSchema>;
// main.ts - Validate immediately on startup
const config = ConfigSchema.parse({
port: process.env.PORT,
database: {
host: process.env.DB_HOST,
port: process.env.DB_PORT,
name: process.env.DB_NAME,
},
redis: {
url: process.env.REDIS_URL,
},
logLevel: process.env.LOG_LEVEL,
});
// If we get here, config is valid and typed
Config should be resolved ONCE at startup, then injected:
// WRONG - Reading env vars during request
async function getUser(args: { userId: string }, deps: GetUserDeps) {
const timeout = parseInt(process.env.DB_TIMEOUT || '5000'); // Reads every call!
return deps.db.findUser(args.userId, { timeout });
}
// CORRECT - Config injected via deps
type GetUserDeps = {
db: Database;
config: { dbTimeout: number };
};
async function getUser(args: { userId: string }, deps: GetUserDeps) {
return deps.db.findUser(args.userId, { timeout: deps.config.dbTimeout });
}
Never store secrets in environment variables. Load directly from secret managers into memory:
// WRONG - Secret in env, visible in process dumps, /proc/self/environ, child processes
const apiKey = process.env.API_KEY;
// CORRECT - Fetch from secret manager at startup, loaded into memory only
const config = await resolveAsync({
resolvers: [
[awsSecrets({ secretId: 'my-app' }), {
API_KEY: string(),
DATABASE_PASSWORD: string(),
}],
],
options: {
preventProcessEnvWrite: true, // Secrets never touch process.env
},
});
// Secrets are in config object in memory, never in process.env
const deps = { db: createDb(config.DATABASE_PASSWORD), apiKey: config.API_KEY };
Why memory is safer:
process.env is accessible to child processes/proc/self/environ exposes all environment variablesPrefer short-lived, auto-rotating credentials over long-lived secrets:
const config = await resolveAsync({
resolvers: [
[awsSecrets({
secretId: 'prod/db-creds',
refreshInterval: 3600000, // Refresh every hour
}), {
DB_USERNAME: string(),
DB_PASSWORD: string(), // Short-lived, auto-rotated
}],
],
});
If a credential leaks, automatic expiration limits the blast radius.
Runtime policies protect production, but what about the .env file that should never exist? Run secret scanning in CI:
# .github/workflows/security.yml
name: Security Checks
on: [push, pull_request]
jobs:
secret-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for thorough scanning
- name: TruffleHog Secret Scan
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified
Tools like TruffleHog and Gitleaks scan commit history, catching secrets that were committed and then "deleted" (but still exist in git history).
// WRONG - Default values hide misconfiguration
const port = process.env.PORT || 3000;
const dbHost = process.env.DB_HOST || 'localhost';
// CORRECT - Fail immediately if missing
const ConfigSchema = z.object({
port: z.coerce.number(), // No default - must be provided
dbHost: z.string().min(1), // No default - must be provided
});
// Throws ZodError at startup if missing
const config = ConfigSchema.parse(process.env);
Use Zod inference to ensure type safety:
// Config type is inferred from schema
export type Config = z.infer<typeof ConfigSchema>;
// Deps include typed config
type GetUserDeps = {
db: Database;
config: Pick<Config, 'dbTimeout' | 'maxRetries'>;
};
const EnvSchema = z.enum(['development', 'staging', 'production']);
const BaseConfigSchema = z.object({
env: EnvSchema,
port: z.coerce.number(),
});
// Environment-specific overrides
const ProductionConfigSchema = BaseConfigSchema.extend({
env: z.literal('production'),
sslEnabled: z.literal(true),
});
const DevelopmentConfigSchema = BaseConfigSchema.extend({
env: z.literal('development'),
sslEnabled: z.literal(false).default(false),
});
const ConfigSchema = z.discriminatedUnion('env', [
ProductionConfigSchema,
DevelopmentConfigSchema,
]);
Configuration resolution should accept resolvers as parameters:
// config.ts
import { resolveAsync, type Resolver } from 'node-env-resolver';
import { processEnv } from 'node-env-resolver/resolvers';
import { awsSecrets } from 'node-env-resolver-aws';
import { postgres, string, number } from 'node-env-resolver/validators';
const schema = {
PORT: number({ default: 3000 }),
DATABASE_URL: postgres(),
API_KEY: string(),
};
export async function getConfig(
resolvers: Resolver[] = [
processEnv(),
awsSecrets({ secretId: 'my-app' }),
]
) {
return resolveAsync({
resolvers: resolvers.map(r => [r, schema]),
});
}
Now your tests can inject mock resolvers:
// config.test.ts
import { getConfig } from './config';
it('should resolve configuration', async () => {
const mockResolver = {
name: 'test-env',
load: async () => ({
DATABASE_URL: 'postgres://test:5432/testdb',
API_KEY: 'test-key',
}),
loadSync: () => ({
DATABASE_URL: 'postgres://test:5432/testdb',
API_KEY: 'test-key',
}),
};
const config = await getConfig([mockResolver]);
expect(config.DATABASE_URL).toBe('postgres://test:5432/testdb');
expect(config.API_KEY).toBe('test-key');
expect(config.PORT).toBe(3000); // default value
});
No vi.mock() needed. Just pass a resolver object. This is the same dependency injection pattern we've been using throughout.
import { mock } from 'vitest-mock-extended';
const testConfig: Pick<Config, 'dbTimeout'> = {
dbTimeout: 100, // Fast for tests
};
const deps = {
db: mock<Database>(),
config: testConfig,
};
const result = await getUser({ userId: '123' }, deps);
| Rule | Implementation |
|---|---|
| Validate at startup | Zod schema.parse() in main.ts |
| Never read during request | Inject config via deps |
| Secrets in memory | SecretManager.get(), not process.env |
| Fail fast | No defaults for required config |
| Type safety | z.infer<typeof Schema> |
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.