internal/server/app.go reads SCHEDULED_TASK_SECRET (plaintext) directly from the environment as a fallback path (line 261). In AWS bearer mode, the Terraform module sets SCHEDULED_TASK_AUTH_MODE=bearer and SCHEDULED_TASK_SECRET_NAME (ARN) but NOT SCHEDULED_TASK_SECRET, so the secret is resolved from Secrets Manager at startup. However the plaintext env var path remains active for any deployment that sets it directly. Lambda env vars are visible in the AWS console and Terraform state. The bearer token for /api/scheduled/* protects internal endpoints from unauthenticated invocations — if it leaks, an attacker can trigger recommendation collection or purchase processing. Remediation: add a startup guard: if SCHEDULED_TASK_AUTH_MODE=bearer and SCHEDULED_TASK_SECRET is non-empty, emit a WARNING that the plaintext path is deprecated. In production, reject it entirely (require SCHEDULED_TASK_SECRET_NAME). File: internal/server/app.go lines 258-283, internal/server/scheduledauth/config.go.
internal/server/app.go reads SCHEDULED_TASK_SECRET (plaintext) directly from the environment as a fallback path (line 261). In AWS bearer mode, the Terraform module sets SCHEDULED_TASK_AUTH_MODE=bearer and SCHEDULED_TASK_SECRET_NAME (ARN) but NOT SCHEDULED_TASK_SECRET, so the secret is resolved from Secrets Manager at startup. However the plaintext env var path remains active for any deployment that sets it directly. Lambda env vars are visible in the AWS console and Terraform state. The bearer token for /api/scheduled/* protects internal endpoints from unauthenticated invocations — if it leaks, an attacker can trigger recommendation collection or purchase processing. Remediation: add a startup guard: if SCHEDULED_TASK_AUTH_MODE=bearer and SCHEDULED_TASK_SECRET is non-empty, emit a WARNING that the plaintext path is deprecated. In production, reject it entirely (require SCHEDULED_TASK_SECRET_NAME). File: internal/server/app.go lines 258-283, internal/server/scheduledauth/config.go.