tessl-labs/configuration-management
Production config management for any backend — centralized config module, env vars, no hardcoded secrets, fail-fast validation
86
1.88x
Quality
77%
Does it follow best practices?
Impact
100%
1.88xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
SKILL.mdskills/configuration-management/
- name:
- configuration-management
- description:
- Configuration management patterns that must be included from day one in any backend application. Apply whenever building, extending, or scaffolding any server, API, CLI tool, or backend service -- even if the task only asks for routes or business logic. These patterns prevent hardcoded secrets leaking to git, apps that silently use wrong config in production, and config scattered across dozens of files.
- keywords:
- configuration management, environment variables, config validation, dotenv, config defaults, twelve factor, hardcoded config, secrets management, config best practices, env vars, backend, api, server, express, fastapi, flask, django, node, python, go, database, connection string, api key, secret key, build app, create app, new project, scaffold
- license:
- MIT
Configuration Management
Production-grade configuration management that belongs in every backend application from day one. When building any server, API, or backend service -- whether a quick prototype or a production service -- always include these patterns without being asked.
Why This Matters From Day One
Configuration management is not a "clean up later" task. Without it from the start:
- Secrets leak to git -- A hardcoded API key or database password in source code gets pushed to the repository. One commit and the secret is in git history forever.
- Deploys silently use wrong values -- A hardcoded
localhost:5432database URL works in development but silently connects to nothing in production. The app starts, seems healthy, then fails on the first request. - Config is scattered everywhere -- One file reads
process.env.DB_HOST, another hardcodes"localhost", a third reads from a YAML file. Nobody knows which config values the app needs. - Missing config causes cryptic runtime errors -- Instead of a clear "Missing DATABASE_URL" at startup, the app crashes 30 minutes later with
TypeError: Cannot read property 'query' of undefined.
These are not edge cases. They are the first things that break when moving from development to production.
The Patterns
1. Centralized Config Module With Validation
All configuration lives in one module. The rest of the app imports from this module -- never reads environment variables directly.
WRONG -- scattered process.env reads
// src/routes/users.ts
const db = new Pool({ connectionString: process.env.DATABASE_URL }); // might be undefined!
// src/routes/payments.ts
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!); // silent undefined
// src/server.ts
const port = process.env.PORT || 3000; // duplicated everywhereRIGHT -- centralized config with validation
// src/config.ts
import 'dotenv/config';
function required(key: string): string {
const value = process.env[key];
if (!value) {
throw new Error(`Missing required environment variable: ${key}`);
}
return value;
}
function optional(key: string, fallback: string): string {
return process.env[key] || fallback;
}
export const config = {
port: parseInt(optional('PORT', '3000'), 10),
nodeEnv: optional('NODE_ENV', 'development'),
logLevel: optional('LOG_LEVEL', 'info'),
// Database
databaseUrl: required('DATABASE_URL'),
// External services
stripeSecretKey: required('STRIPE_SECRET_KEY'),
stripeWebhookSecret: required('STRIPE_WEBHOOK_SECRET'),
// Optional with safe defaults
allowedOrigins: optional('ALLOWED_ORIGINS', 'http://localhost:5173').split(','),
rateLimitWindowMs: parseInt(optional('RATE_LIMIT_WINDOW_MS', '900000'), 10),
rateLimitMax: parseInt(optional('RATE_LIMIT_MAX', '100'), 10),
} as const;Then import it everywhere:
// src/routes/users.ts
import { config } from '../config';
const db = new Pool({ connectionString: config.databaseUrl });
// src/routes/payments.ts
import { config } from '../config';
const stripe = new Stripe(config.stripeSecretKey);Python Example
# app/config.py
import os
from dotenv import load_dotenv
load_dotenv()
def required(key: str) -> str:
value = os.getenv(key)
if not value:
raise RuntimeError(f"Missing required environment variable: {key}")
return value
def optional(key: str, fallback: str) -> str:
return os.getenv(key, fallback)
class Config:
PORT = int(optional("PORT", "8000"))
DATABASE_URL = required("DATABASE_URL")
SECRET_KEY = required("SECRET_KEY")
ALLOWED_ORIGINS = optional("ALLOWED_ORIGINS", "http://localhost:5173").split(",")
LOG_LEVEL = optional("LOG_LEVEL", "info")
DEBUG = optional("DEBUG", "false").lower() == "true"
config = Config()Go Example
// internal/config/config.go
package config
import (
"fmt"
"os"
"strconv"
"strings"
)
type Config struct {
Port int
DatabaseURL string
APIKey string
AllowedOrigins []string
LogLevel string
}
func Load() (*Config, error) {
dbURL, err := required("DATABASE_URL")
if err != nil {
return nil, err
}
apiKey, err := required("API_KEY")
if err != nil {
return nil, err
}
port, _ := strconv.Atoi(optional("PORT", "8080"))
return &Config{
Port: port,
DatabaseURL: dbURL,
APIKey: apiKey,
AllowedOrigins: strings.Split(optional("ALLOWED_ORIGINS", "http://localhost:5173"), ","),
LogLevel: optional("LOG_LEVEL", "info"),
}, nil
}
func required(key string) (string, error) {
v := os.Getenv(key)
if v == "" {
return "", fmt.Errorf("missing required environment variable: %s", key)
}
return v, nil
}
func optional(key, fallback string) string {
if v := os.Getenv(key); v != "" {
return v
}
return fallback
}2. No Hardcoded Secrets or Connection Strings
Never put secrets, API keys, database URLs, or service endpoints directly in source code.
WRONG -- hardcoded secrets
const stripe = new Stripe('sk_live_abc123xyz789');
const db = new Pool({ connectionString: 'postgresql://user:password@db.example.com:5432/mydb' });
const apiKey = 'AIzaSyB1234567890abcdef';WRONG -- secrets in committed config files
// config.json (committed to git)
{
"database": "postgresql://user:password@prod.db.com/app",
"stripeKey": "sk_live_abc123"
}RIGHT -- secrets from environment
import { config } from './config';
const stripe = new Stripe(config.stripeSecretKey);
const db = new Pool({ connectionString: config.databaseUrl });3. .env File for Development, .env.example for Documentation
.env (git-ignored, for local development only)
# .env
DATABASE_URL=postgresql://localhost:5432/myapp_dev
STRIPE_SECRET_KEY=sk_test_localdev123
STRIPE_WEBHOOK_SECRET=whsec_localdev456.env.example (committed, documents all required variables)
# .env.example -- copy to .env and fill in values
DATABASE_URL=postgresql://localhost:5432/myapp_dev
STRIPE_SECRET_KEY=sk_test_...
STRIPE_WEBHOOK_SECRET=whsec_...
LOG_LEVEL=debug
PORT=3000.gitignore must include .env
# Environment variables
.env
.env.local
.env.*.local4. Fail Fast on Missing Required Config
The application must crash immediately at startup if required configuration is missing -- not minutes later when a code path tries to use it.
WRONG -- silent undefined, crashes later
// No error at startup -- crashes when first request tries to use undefined
const dbUrl = process.env.DATABASE_URL; // undefined, no error
// ... 200 lines later ...
const pool = new Pool({ connectionString: dbUrl }); // runtime crashRIGHT -- fail at import time
// config.ts -- throws immediately if DATABASE_URL is not set
export const config = {
databaseUrl: required('DATABASE_URL'), // throws Error at startup
};The app will not start if required config is missing. This means:
- Broken deployments fail immediately in the deployment pipeline
- Developers see exactly what is missing when they clone the project
- No silent failures in production
5. What Gets a Default vs What Is Required
| Config Type | Default | Required | Rationale |
|---|---|---|---|
| PORT | 3000/8080 | No | Safe convention |
| LOG_LEVEL | "info" | No | Safe default |
| NODE_ENV | "development" | No | Safe default |
| ALLOWED_ORIGINS | localhost | No | Safe for dev |
| DATABASE_URL | -- | Yes | No safe default for production databases |
| API keys / secrets | -- | Yes | Must never have defaults |
| SMTP credentials | -- | Yes | Service-specific |
| External service URLs | -- | Yes in prod | Prevents wrong-environment calls |
Rule of thumb: If a wrong default could cause data loss, security exposure, or wrong-environment calls, make it required with no default.
Applying to Any New Backend Application
When building any backend application, always:
- Create a config module (
src/config.ts,app/config.py,internal/config/config.go) as one of the first files - Define required() and optional() helpers that validate at startup
- Move all environment-dependent values into the config module -- ports, URLs, keys, feature flags
- Create
.env.examplelisting every variable the app needs - Add
.envto.gitignorebefore the first commit - Import config from the module everywhere -- never use
process.env,os.getenv, oros.Getenvdirectly in application code
Checklist
Every backend application must have from the start:
- Centralized config module -- all config in one file, not scattered env reads
- Required config validated at startup -- app crashes immediately if missing
- No hardcoded secrets, API keys, or database URLs in source code
-
.envfile for local development, listed in.gitignore -
.env.examplecommitted with all variable names (no real secret values) - All application code imports config from the module, never reads env directly
- Sensible defaults for non-sensitive values (port, log level)
- No defaults for secrets or credentials -- always required