Address code review: add production warning and fix naming consistency

Copilot · hotlong · Copilot · commit 010969ce7fe5 · 2026-02-11T07:54:57.000Z
Co-authored-by: hotlong &lt;50353452+hotlong@users.noreply.github.com&gt;
diff --git a/.env.example b/.env.example
@@ -9,12 +9,12 @@ AUTH_SECRET=your-super-secret-key-change-this-in-production
 
 # ─── Database Configuration ─────────────────────────────────────────────────
 
-# Optional: Database connection URL (defaults to SQLite: objectos.db)
+# Optional: Database connection URL (defaults to SQLite: objectstack.db)
 # Examples:
 # - PostgreSQL: postgres://user:password@localhost:5432/objectos
 # - MongoDB: mongodb://localhost:27017/objectos
-# - SQLite: sqlite:objectos.db (or omit for default)
-# OBJECTQL_DATABASE_URL=sqlite:objectos.db
+# - SQLite: sqlite:objectstack.db (or omit for default)
+# OBJECTQL_DATABASE_URL=sqlite:objectstack.db
 
 # ─── OAuth Provider Configuration ───────────────────────────────────────────
 
@@ -54,8 +54,8 @@ AUTH_SECRET=your-super-secret-key-change-this-in-production
 
 # ─── Two-Factor Authentication ──────────────────────────────────────────────
 
-# Optional: 2FA issuer name (defaults to "ObjectOS")
-# BETTER_AUTH_2FA_ISSUER=ObjectOS
+# Optional: 2FA issuer name (defaults to "ObjectStack")
+# BETTER_AUTH_2FA_ISSUER=ObjectStack
 
 # ─── Server Configuration ───────────────────────────────────────────────────
 
diff --git a/README.md b/README.md
@@ -169,7 +169,7 @@ AUTH_SECRET=your-super-secret-key-change-this-in-production
 
 **Optional Configuration:**
 
-- **Database**: Defaults to SQLite (`objectos.db`). Set `OBJECTQL_DATABASE_URL` for PostgreSQL or MongoDB.
+- **Database**: Defaults to SQLite (`objectstack.db`). Set `OBJECTQL_DATABASE_URL` for PostgreSQL or MongoDB.
 - **OAuth Providers**: Configure `GOOGLE_CLIENT_ID`, `GITHUB_CLIENT_ID`, etc. for social login.
 - **Enterprise SSO**: Set up Auth0, Okta, Keycloak, or Azure AD via environment variables.
 
diff --git a/objectstack.config.ts b/objectstack.config.ts
@@ -67,7 +67,13 @@ export default defineStack({
 
     // Core
     new AuthPlugin({
-      secret: process.env.AUTH_SECRET || 'dev-secret-change-in-production-min-32-chars',
+      secret: process.env.AUTH_SECRET || (() => {
+        const defaultSecret = 'dev-secret-change-in-production-min-32-chars';
+        if (process.env.NODE_ENV === 'production') {
+          console.error('WARNING: Using default AUTH_SECRET in production! Set AUTH_SECRET environment variable.');
+        }
+        return defaultSecret;
+      })(),
       baseUrl: process.env.BETTER_AUTH_URL || 'http://localhost:5320',
     }),
     new PermissionsPlugin(),
