Context
Surfaced by the Phase 0 critical-review on #3791 (fail-closed JWT validation).
The JWT default/weakness predicate is duplicated:
lib/helpers/config.js — JWT_DEFAULT_SECRETS Set + the empty / <32-char / known-default check in validateJwtSecret.modules/home/services/home.service.js — its own JWT_DEFAULTS Set + an identical jwtInsecure predicate for the readiness report.
The two are identical today but will drift the moment a new default placeholder or threshold is added in one place only.
Proposal
Export the canonical default-secret Set + a single isJwtSecretWeak(secret) helper from config.js; import it in home.service.js readiness. One source of truth.
Acceptance
- One exported predicate, both call sites use it.
- No behavior change (existing readiness + validateJwtSecret tests stay green).
Context
Surfaced by the Phase 0 critical-review on #3791 (fail-closed JWT validation).
The JWT default/weakness predicate is duplicated:
lib/helpers/config.js—JWT_DEFAULT_SECRETSSet + the empty / <32-char / known-default check invalidateJwtSecret.modules/home/services/home.service.js— its ownJWT_DEFAULTSSet + an identicaljwtInsecurepredicate for the readiness report.The two are identical today but will drift the moment a new default placeholder or threshold is added in one place only.
Proposal
Export the canonical default-secret Set + a single
isJwtSecretWeak(secret)helper fromconfig.js; import it inhome.service.jsreadiness. One source of truth.Acceptance