Config & Environment rules

Validate required runtime env vars at container start via an entrypoint script; exit with a clear message on missing values.

Encrypt sensitive columns (e.g., email, phone) with managed keys; ensure DB connection enforces TLS. Store only ciphertext; compare via deterministic token/hashes when needed. (GDPR Art. 32)

PII tables must include an expires_at (or retention_policy) column and a scheduled deletion/archival job aligned to data category. No indefinite retention. (GDPR Art. 5(1)(e))

Read API URLs/keys from ENV/credentials and inject where needed; do not hardcode.

Load and validate environment/config once during startup; inject settings into modules instead of re-reading env.

Read secrets (process.env.*) only in Server Components, Route Handlers, or server actions. Client Components must use ONLY NEXT_PUBLIC_* variables.

Use headers() and cookies() in Server Components, Route Handlers, or server actions; never in Client Components.

All cache entries containing PII must set an explicit TTL aligned to the retention policy (e.g., 24h). No indefinite storage of personal data in Redis or in-memory caches.

Never hardcode credentials (API keys, tokens, private keys) in source code, configs, or tests. If a string looks like a credential based on context (variable name, header usage, auth flows), treat it as a secret even if it is not high-entropy. Move it to env/secret manager, rotate the credential if it may have leaked, and remove it from git history if necessary.

At process start, validate required configuration keys and fail fast with a clear message if any are missing or malformed.

When removing or decommissioning a feature, ensure the associated feature flag is also removed from: - application code paths, - config/registry files (e.g., flags.ts, config.json), and - analytics/feature flag tools (if applicable). If a PostHog (or similar) MCP is available, verify the flag is disabled/removed and not referenced elsewhere. Otherwise, require a repo-wide search evidence in the PR.

Replace repeated set/get config calls with data-driven loops or loaders from a single schema/source.

Perform one-time configuration/dependency validation at process startup (init/bootstrap). Avoid doing it inside per-request middleware/interceptor factories.

Delete dead configuration fields and env flags; keep only variables that change behavior.

Derive paths/URLs from configuration or environment variables, not string literals in code.

All variables must declare a type, default (when sensible), and validation blocks; mark sensitive inputs with sensitive=true.