From 2907e2c29204322fb0287c9f20cfcefe0a19206a Mon Sep 17 00:00:00 2001
From: soohyunme <soohyun.dev@gmail.com>
Date: Sun, 8 Feb 2026 04:34:44 +0900
Subject: [PATCH 1/2] chore(getcloser): enhance security config with
 environment variables and validation

---
 getcloser/backend/.env.example       |  7 +++++++
 getcloser/backend/app/core/config.py | 19 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 getcloser/backend/.env.example

diff --git a/getcloser/backend/.env.example b/getcloser/backend/.env.example
new file mode 100644
index 0000000..e54c956
--- /dev/null
+++ b/getcloser/backend/.env.example
@@ -0,0 +1,7 @@
+# DATABASE_URL=postgresql+psycopg2://user:password@db:5432/app_db
+
+# 보안을 위해 무작위 문자열을 생성하여 설정하세요.
+# 예: openssl rand -hex 32
+SECRET_KEY=your-super-secret-key-here
+
+# ACCESS_TOKEN_EXPIRE_MINUTES=60
diff --git a/getcloser/backend/app/core/config.py b/getcloser/backend/app/core/config.py
index 898895d..4974341 100644
--- a/getcloser/backend/app/core/config.py
+++ b/getcloser/backend/app/core/config.py
@@ -1,12 +1,29 @@
 import os
+from pydantic import field_validator
 from pydantic_settings import BaseSettings
 
 class Settings(BaseSettings):
+    ENVIRONMENT: str = os.getenv("ENVIRONMENT", "dev")
     DATABASE_URL: str = os.getenv("DATABASE_URL", "postgresql+psycopg2://user:password@db:5432/app_db")
+    
     """
     JWT 안쓸 것 같아 일단 주석 처리하고 추후 확정 시 삭제
     """
-    SECRET_KEY: str = os.getenv("SECRET_KEY", "change-me-in-prod")
+    # Secret key for JWT signing. Must be overridden in production using environment variables.
+    DEFAULT_SECRET_KEY = "default-secret-key-change-it"
+    SECRET_KEY: str = os.getenv("SECRET_KEY", DEFAULT_SECRET_KEY)
+    
+    @field_validator("SECRET_KEY")
+    @classmethod
+    def check_secret_key(cls, v, info):
+        """
+        Validate that SECRET_KEY is not using the default placeholder value in production.
+        """
+        env = os.getenv("ENVIRONMENT", "dev").lower()
+        if env in ["prod", "production"] and v == cls.DEFAULT_SECRET_KEY:
+            raise ValueError("SECRET_KEY must be a unique, non-default value in production environments.")
+        return v
+        
     ALGORITHM: str = "HS256"
     ACCESS_TOKEN_EXPIRE_MINUTES: int = int(os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES", "60"))
 

From 08837603476637e6068b7e3c30a2b590b21d7082 Mon Sep 17 00:00:00 2001
From: soohyunme <soohyun.dev@gmail.com>
Date: Sun, 8 Feb 2026 04:46:11 +0900
Subject: [PATCH 2/2] chore(ci): add SECRET_KEY and ENVIRONMENT to getcloser
 deployment workflow

---
 .github/workflows/deploy-getcloser.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/deploy-getcloser.yml b/.github/workflows/deploy-getcloser.yml
index 14b9af3..571c406 100644
--- a/.github/workflows/deploy-getcloser.yml
+++ b/.github/workflows/deploy-getcloser.yml
@@ -47,6 +47,8 @@ jobs:
           echo "TEAM_SIZE=${{ vars.TEAM_SIZE}}" >> .env
           echo "PENDING_TIMEOUT_MINUTES=${{ vars.PENDING_TIMEOUT_MINUTES}}" >> .env
           echo "DATA_DIR_HOST=${{ vars.DATA_DIR_HOST }}" >> .env
+          echo "SECRET_KEY=${{ secrets.SECRET_KEY }}" >> .env
+          echo "ENVIRONMENT=prod" >> .env
 
       - name: 🚀 Deploy to PROD
         run: |