ENV-006 critical environment-config

Staging env vars match production

Same env vars as prod except payment gateways (sandbox OK), email must use real provider

Question to ask

"What breaks in staging that works in prod due to different config?"

Verification guide

Severity: Critical

Check automatically:

  1. Compare env var structure if using IaC:

    diff <(grep -h "variable\|env\|secret" terraform/prod/*.tf 2>/dev/null | sort) \
     <(grep -h "variable\|env\|secret" terraform/staging/*.tf 2>/dev/null | sort)

  2. Check for env var documentation:

    cat .env.example README.md docs/*.md 2>/dev/null | grep -i "staging\|production\|environment"

  3. If using GitHub environments, compare secrets count:

    gh api repos/{owner}/{repo}/environments --jq '.environments[] | {name: .name}'

Ask user:

  • Are staging env vars intentionally mirrored from production?
  • What are the known exceptions?
    • Payment gateways (sandbox) - acceptable
    • Email provider - should be real, not sandbox (catches deliverability issues)
    • Third-party API keys - sandbox or production?

Pass criteria:

  • Staging uses same env var set as production
  • Only payment gateways in sandbox mode
  • Email uses real provider settings (not sandbox)

Fail criteria:

  • Staging missing env vars that exist in production
  • Email in sandbox mode (won't catch deliverability issues)
  • Multiple services in sandbox (staging won't match prod behavior)

Evidence to capture:

  • List of known staging/prod differences
  • Payment gateway mode (sandbox - OK)
  • Email provider mode (should be real)
  • Any other sandbox services (flag for review)

Cross-reference with:

  • ENV-004 (staging in production mode)
  • ENV-002 (staging exists)

Section

04. Environments

Infrastructure & Setup

← Previous

ENV-005

Dev environment has verbose logging

 Next →

ENV-007

Production has minimal logging and user-friendly errors