# DISABLED (#206): relies on a metavariable `constraints` regex (KEY) to flag
# only secret-named access; the runner's interpreter ignores constraints, so the
# bare `process.env.$KEY` pattern matches every env access (noise).
id: no-process-env
language: TypeScript
message: "Avoid direct process.env access for secrets — use config service"
severity: warning
note: |
  Direct process.env access for sensitive values should go through
  a config service for testability and centralization.
  
  BAD:  const key = process.env.API_KEY
        const { password } = process.env
  
  GOOD: const key = config.apiKey
        constructor(private config: ConfigService) {}
rule:
  pattern: process.env.$KEY
constraints:
  KEY:
    regex: "(PASSWORD|PASSWD|SECRET|TOKEN|API_KEY|APIKEY|ACCESS_KEY|PRIVATE_KEY|CLIENT_SECRET|CREDENTIALS|BEARER)"
