fix: enforce auth secret and remove dead auth config exports

cursoragent · cursoragent · commit dd68259948c0 · 2026-05-01T14:09:56.000Z
diff --git a/apps/web/alchemy.run.ts b/apps/web/alchemy.run.ts
@@ -53,13 +53,18 @@ const program = Effect.gen(function* () {
   //
   // See `docs/adr/0003-build-time-env-injection-with-effect-config.md`
   // (which supersedes the runtime-decrypt approach in ADR 0001).
+  const betterAuthSecret = process.env.BETTER_AUTH_SECRET;
+  if (!betterAuthSecret) {
+    throw new Error("BETTER_AUTH_SECRET environment variable is required");
+  }
+
   const website = yield* Cloudflare.Vite("TanstackStart", {
     compatibility: {
       flags: ["nodejs_compat"],
     },
     env: {
       DATABASE_URL: db.connectionUri,
-      BETTER_AUTH_SECRET: process.env.BETTER_AUTH_SECRET ?? "",
+      BETTER_AUTH_SECRET: betterAuthSecret,
       POLAR_ACCESS_TOKEN: process.env.POLAR_ACCESS_TOKEN ?? "",
       POLAR_WEBHOOK_SECRET: process.env.POLAR_WEBHOOK_SECRET ?? "",
       POLAR_PRO_PRODUCT_ID_PRODUCTION:
diff --git a/packages/auth/src/config.ts b/packages/auth/src/config.ts
@@ -26,9 +26,6 @@ import * as Option from "effect/Option";
 import * as Redacted from "effect/Redacted";
 
 const program = Effect.gen(function* () {
-  const betterAuthSecret = yield* Config.option(
-    Config.redacted("BETTER_AUTH_SECRET"),
-  );
   const polarAccessToken = yield* Config.option(
     Config.redacted("POLAR_ACCESS_TOKEN"),
   );
@@ -43,7 +40,6 @@ const program = Effect.gen(function* () {
     Config.string("STACKPANEL_DEPLOY_ENV"),
   );
   return {
-    betterAuthSecret,
     polarAccessToken,
     polarWebhookSecret,
     polarSuccessUrl,
@@ -58,10 +54,6 @@ const program = Effect.gen(function* () {
 // throws is a true validation failure (none of these schemas have one).
 const resolved = Effect.runSync(program);
 
-/** Better-Auth signing secret — `Redacted` so it doesn't accidentally leak. */
-export const betterAuthSecret: Option.Option<Redacted.Redacted<string>> =
-  resolved.betterAuthSecret;
-
 /** Polar API access token. When `None`, the polar plugin is not mounted. */
 export const polarAccessToken: Option.Option<Redacted.Redacted<string>> =
   resolved.polarAccessToken;
@@ -84,13 +76,6 @@ export const corsOrigin: Option.Option<string> = resolved.corsOrigin;
 export const stackpanelDeployEnv: Option.Option<string> =
   resolved.stackpanelDeployEnv;
 
-/**
- * Unwrap a `Redacted<string>` only at the boundary where an SDK requires
- * a raw string. Centralized so callers don't sprinkle `Redacted.value`
- * around the codebase.
- */
-export const reveal = Redacted.value;
-
 /**
  * Treats an empty string the same as a missing value. Used because
  * `Cloudflare.Vite({ env: { POLAR_ACCESS_TOKEN: process.env.POLAR_ACCESS_TOKEN ?? "" } })`
