From f3dcee04af6046ddb71d7d695f80689d0b5187bf Mon Sep 17 00:00:00 2001
From: jackrescuer-gif <jackrescuer@gmail.com>
Date: Wed, 13 May 2026 16:53:08 +0300
Subject: [PATCH] fix(config): override existing env vars when loading .env

PM2 daemon caches env from its startup shell; dotenv (default no-override)
then silently ignores .env values that conflict. Caused a 2-hour incident
with a revoked GITHUB_ISSUES_TOKEN where only `pm2 kill` recovered.
---
 backend/src/config.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/src/config.ts b/backend/src/config.ts
index a30c725..59f1a54 100644
--- a/backend/src/config.ts
+++ b/backend/src/config.ts
@@ -1,6 +1,12 @@
-import 'dotenv/config';
+import { config as loadDotenv } from 'dotenv';
 import { z } from 'zod';
 
+// override: true — .env wins over inherited process env (PM2/daemon cache).
+// Production incident 2026-05-13: PM2 daemon cached a revoked GITHUB_ISSUES_TOKEN
+// in its env, dotenv (default no-override) silently ignored the new value in .env,
+// and only a full `pm2 kill` recovered. Override removes that footgun.
+loadDotenv({ override: true });
+
 const envSchema = z.object({
   DATABASE_URL: z.string(),
   JWT_SECRET: z.string().min(10),