From 7bc6165fff06a74f6c2a12540f7d3e9bd0e6db21 Mon Sep 17 00:00:00 2001
From: Space-Banane <paulwaehner923@gmail.com>
Date: Sat, 23 May 2026 00:06:02 +0200
Subject: [PATCH] [fix]. Validate required startup secrets

---
 TODO.md                           |  2 +-
 src/gitea_codex_bot/main.py       | 11 +++++++++++
 tests/test_main_env_validation.py | 19 +++++++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/TODO.md b/TODO.md
index ea267c4..20a8f88 100644
--- a/TODO.md
+++ b/TODO.md
@@ -8,7 +8,7 @@
 - [x] `BUG`: Enforce `.codex-review.yml` `enabled=false` at runtime (currently loaded but not enforced).
 - [x] `BUG`: Remove `.codex-review.yml` fix policy (`commands.allow_fix`) and rely on global `ENABLE_FIX_COMMANDS`.
 - [x] `BUG`: Add stuck-job recovery for `running` jobs (lease timeout + requeue/fail) so one crashed worker does not deadlock the queue.
-- [ ] `BUG`: Validate required secrets/settings are non-empty at startup (`GITEA_WEBHOOK_SECRET`, `GITEA_TOKEN`, `ALLOWED_REPOS`) and fail fast if blank.
+- [x] `BUG`: Validate required secrets/settings are non-empty at startup (`GITEA_WEBHOOK_SECRET`, `GITEA_TOKEN`, `ALLOWED_REPOS`) and fail fast if blank.
 - [ ] `TEST`: Add integration test proving the runner executes the exact PR head SHA in isolated mode and does not rely on host checkout.
 
 ### P1 (Important)
diff --git a/src/gitea_codex_bot/main.py b/src/gitea_codex_bot/main.py
index 6fd7dc7..7cdd027 100644
--- a/src/gitea_codex_bot/main.py
+++ b/src/gitea_codex_bot/main.py
@@ -35,6 +35,17 @@ logger = logging.getLogger(__name__)
 
 
 def _validate_required_env(settings: Settings) -> None:
+    webhook_secret = settings.gitea_webhook_secret.get_secret_value()
+    if not webhook_secret.strip():
+        raise RuntimeError("GITEA_WEBHOOK_SECRET is required")
+
+    gitea_token = settings.gitea_token.get_secret_value()
+    if not gitea_token.strip():
+        raise RuntimeError("GITEA_TOKEN is required")
+
+    if not settings.allowed_repos.strip():
+        raise RuntimeError("ALLOWED_REPOS is required")
+
     if settings.codex_auth_mode != "api_key":
         return
     api_key = settings.openai_api_key.get_secret_value() if settings.openai_api_key else ""
diff --git a/tests/test_main_env_validation.py b/tests/test_main_env_validation.py
index 8d04e1e..ee526ee 100644
--- a/tests/test_main_env_validation.py
+++ b/tests/test_main_env_validation.py
@@ -6,6 +6,25 @@ from gitea_codex_bot.config import get_settings
 from gitea_codex_bot.main import _validate_required_env
 
 
+@pytest.mark.parametrize(
+    ("env_name", "env_value", "error_text"),
+    [
+        ("GITEA_WEBHOOK_SECRET", "   ", "GITEA_WEBHOOK_SECRET is required"),
+        ("GITEA_TOKEN", "   ", "GITEA_TOKEN is required"),
+        ("ALLOWED_REPOS", "   ", "ALLOWED_REPOS is required"),
+    ],
+)
+def test_validate_required_env_fails_on_blank_required_settings(
+    monkeypatch: pytest.MonkeyPatch, env_name: str, env_value: str, error_text: str
+) -> None:
+    monkeypatch.setenv(env_name, env_value)
+    get_settings.cache_clear()
+    settings = get_settings()
+
+    with pytest.raises(RuntimeError, match=error_text):
+        _validate_required_env(settings)
+
+
 def test_validate_required_env_requires_api_key_in_api_key_mode(monkeypatch: pytest.MonkeyPatch) -> None:
     monkeypatch.setenv("OPENAI_API_KEY", "")
     monkeypatch.setenv("CODEX_AUTH_MODE", "api_key")