| name | add-env-var |
| description | Add a new environment variable to the backend the right way — boot-time validation, .env.example documentation, and typed access. Use when introducing any new backend config/secret/flag. |
Add a backend env var
Backend env is validated at boot (fail-fast) in src/config/env.validation.ts.
A misconfigured/missing required var must crash startup, not fail silently later.
Steps
- Declare + validate in
src/config/env.validation.ts on the
EnvironmentVariables class:
- Required:
@IsString() (no @IsOptional). Add stronger checks where it
matters: @MinLength(32) for keys, @IsUrl(...), @IsNumber(), @IsEnum(...).
- Optional: add
@IsOptional() and a sensible default (= '...').
- Add a one-line comment explaining what it's for / how to generate it.
- Document in
.env.example with a comment and a working dev placeholder.
⚠️ If the var is required, the placeholder MUST satisfy validation so a fresh
cp .env.example .env boots (e.g. a ≥32-char string for a key). Mark clearly to
change it for prod.
- Access via
ConfigService.get<T>('NAME') (injected), or process.env.NAME
in non-DI spots (guards/services already do this) — handle the
not-configured case (fail-closed in production where it's a security control).
- Secrets: never log them; if it's a token/credential consider encrypting at
rest (
EncryptionService). Ensure it's covered by .gitignore if it lands in a file.
- Update
backend/CLAUDE.md's "Required env" list if the var is required.
- Verify (from
backend/): bunx tsc -p tsconfig.build.json --noEmit.
Mobile public config goes in app.config.ts / src/constants/config.ts via
EXPO_PUBLIC_* (never put secrets in the mobile bundle).