security hardening

app/services/config/env.server.ts

@@ -0,0 +1,33 @@
+/**
+ * Small env-access helpers that fail closed.
+ *
+ * `requireEnv` throws a clear error (without ever printing the secret value)
+ * when a required environment variable is missing or empty. `optionalEnv`
+ * returns the trimmed value or undefined.
+ */
+
+/**
+ * Returns the value of `name` from `process.env`, throwing if it is unset or
+ * empty (after trimming). The secret value itself is never included in the
+ * error message.
+ */
+export function requireEnv(name: string): string {
+  const raw = process.env[name];
+  if (raw === undefined || raw.trim() === "") {
+    throw new Error(
+      `Missing required environment variable "${name}". ` +
+        `Set it before starting the app (see deploy/.env.dev.example).`,
+    );
+  }
+  return raw;
+}
+
+/**
+ * Returns the value of `name` from `process.env`, or `undefined` if it is
+ * unset or empty (after trimming).
+ */
+export function optionalEnv(name: string): string | undefined {
+  const raw = process.env[name];
+  if (raw === undefined || raw.trim() === "") return undefined;
+  return raw;
+}