fix: eagerly validate DCR config at startup to prevent lazy init bypass

luis5tb · claude · luis5tb · commit 044d02543c30 · 2026-03-30T08:20:37.000+02:00
Move DCR service initialization from lazy (first-request) to eager
(lifespan startup) so Cloud Run fails to start with missing/invalid
DCR_ENCRYPTION_KEY instead of appearing healthy and failing on first
DCR request. Add test coverage for encryption key error paths.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/lightspeed_agent/marketplace/app.py b/src/lightspeed_agent/marketplace/app.py
@@ -37,6 +37,19 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
         logger.error("Failed to initialize database: %s", e)
         raise
 
+    # Startup: Validate DCR configuration (fail-fast on Cloud Run)
+    # This ensures DCR_ENCRYPTION_KEY is valid BEFORE the service becomes ready,
+    # preventing silent failures when the first DCR request arrives.
+    try:
+        from lightspeed_agent.dcr import get_dcr_service
+
+        logger.info("Validating DCR service configuration")
+        get_dcr_service()  # Triggers DCRService.__init__() validation
+        logger.info("DCR service initialized successfully")
+    except Exception as e:
+        logger.error("Failed to initialize DCR service: %s", e)
+        raise
+
     yield
 
     # Shutdown: Close database connection
diff --git a/tests/test_dcr.py b/tests/test_dcr.py
@@ -277,6 +277,39 @@ async def test_get_client(self, service):
         assert client.account_id == "valid-account-123"
 
 
+class TestDCRServiceEncryptionValidation:
+    """Tests for DCR service encryption key validation."""
+
+    def test_dcr_service_missing_key_on_cloud_run(self, monkeypatch, db_session):
+        """Test DCRService raises ValueError when DCR_ENCRYPTION_KEY is missing on Cloud Run."""
+        from lightspeed_agent.config import get_settings
+
+        settings = get_settings()
+        monkeypatch.setenv("K_SERVICE", "test-marketplace-handler")
+        monkeypatch.setattr(settings, "dcr_encryption_key", "")
+
+        with pytest.raises(ValueError, match="DCR_ENCRYPTION_KEY is required in production"):
+            DCRService()
+
+    def test_dcr_service_invalid_encryption_key(self, monkeypatch, db_session):
+        """Test that DCRService raises ValueError for invalid DCR_ENCRYPTION_KEY."""
+        from lightspeed_agent.config import get_settings
+
+        settings = get_settings()
+        monkeypatch.setattr(settings, "dcr_encryption_key", "not-a-valid-fernet-key")
+
+        with pytest.raises(ValueError, match="Invalid DCR_ENCRYPTION_KEY"):
+            DCRService()
+
+    def test_encrypt_secret_without_key_raises(self, db_session):
+        """Test that _encrypt_secret raises RuntimeError when _fernet is None."""
+        service = DCRService()
+        service._fernet = None
+
+        with pytest.raises(RuntimeError, match="Cannot encrypt client secret"):
+            service._encrypt_secret("test-secret")
+
+
 class TestDCRServiceDelete:
     """Tests for DCR service client deletion."""
 
