Skip to content

Runtime secret placeholder validation breaks existing deployments #526

Closed
Bug
#527
Closed
Runtime secret placeholder validation breaks existing deployments#526
Bug
#527
Assignees
ChristianPavilonis
@ChristianPavilonis

Description

@ChristianPavilonis
ChristianPavilonis
opened on Mar 19, 2026

Problem

Commit 5d8d16f (#467) introduced runtime placeholder secret validation that rejects known placeholder values for synthetic.secret_key and publisher.proxy_secret at startup. The expanded placeholder list and case-insensitive matching now catches deployments that were previously working fine.

Expected Behavior

Deployments that worked before #467 should continue to work. Secret validation should only check that values are non-empty, not reject specific known strings.

Decision

The team decided this should be a no-fix for now — remove the runtime placeholder checks entirely while keeping the existing non-empty validation.

Affected Files

  • crates/common/src/settings.rs — placeholder constants, detection methods, reject_placeholder_secrets()
  • crates/common/src/settings_data.rs — runtime call to reject_placeholder_secrets()
  • crates/common/src/error.rsInsecureDefault error variant
  • crates/common/build.rs — comment about runtime deferral
  • docs/guide/configuration.md — placeholder rejection documentation

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions