MC-3568

Luci dispatching this ticket to Larry (background worker via SSH).

Larry: Planning — reading ticket and env.ts to assess scopePROGRESS: Designing — fail-closed isDevelopment + require explicit NODE_ENV in non-Replit envsPROGRESS: Building — fail-closed isDevelopment + validateEnv NODE_ENV guardAcknowledged. Writing test now.PROGRESS: Testing — running new test and typecheckAll 8 tests pass. Let me run typecheck and adjacent existing env-touching tests.TypeScript errors are pre-existing and unrelated (documents.ts, driveFolders.ts). My change introduced no new TS errors. Adjacent NODE_ENV tests still pass.Pre-existing, unrelated. Committing.

Larry: Review gate — pre-landing reviewPROGRESS: Done — fail-closed isDevelopment shipped to staging

Completed on Larry: ## Summary Fixed MC-3568 by changing `isDevelopment` in `server/config/env.ts:101` from `getEnv('NODE_ENV') !== 'production'` (true when unset) to `=== 'development'` (fail-closed). Added `validateEnv()` warnings for unset or unrecognised NODE_ENV values in non-Replit environments. Wrote 8 regression tests covering unset/empty/dev/prod/unrecognised cases — all pass. Pre-existing TS errors in unrelated files are not from this change. Committed as `9ac50eb` and pushed to staging.

Larry: Triggering post-completion code review...

Code review (Larry reviewer via claude/opus): n. Coverage of the regression case (unset NODE_ENV → ` isDevelopment=false`) is explicit, the `validateEnv()` warning is appropriately scoped to non -Replit envs, and the Replit code path is preserved via `isReplitEnvironment()` checks. No C RITICAL or IMPORTANT issues. VERDICT: PASS Fail-closed fix is correct and well-tested; two stale-doc nits but no real breakage. - MINOR: `server/config/env.ts:386-388` — docstring for `isDevEnvironment()` still says "NODE_ENV is not 'production'" and "Default to true if not production", but the body now returns `env.isDevelopment` (fail-closed). Behavior matches the fix; comment lies. Update for future readers. - MINOR: `server/config/env.ts:103` — `nodeEnv: getEnv('NODE_ENV', 'development')` still defaults the *string* to `'development'` when unset, while `isDevelopment` is now `false` in the same case. Harmless (no code paths string-compare `env.nodeEnv` for dev gating that I see), but the inconsistency could mislead. Consider defaulting to `''` or `'unknown'`. - MINOR: test file is truncated in the diff at the "staging" case — assumed complete in the repo; if the final `it(...)` block isn't closed, tests won't compile. Worth a local `npm test` confirmation. Coverage of the regression case (unset NODE_ENV → `isDevelopment=false`) is explicit, the `validateEnv()` warning is appropriately scoped to non-Replit envs, and the Replit code path is preserved via `isReplitEnvironment()` checks. No CRITICAL or IMPORTANT issues. VERDICT: PASS

Larry shipped with clean code review. Auto-dispatching Luci-reviewer (verdict: clean). Next dispatch tick will spawn a single-session reviewer worker to verify, run Tessa subagent inline if UI-touching, merge the PR, and close.

Completed: DONE: Verified Larry's MC-3568 fix (9ac50eb) on LegalMind staging — `isDevelopment` is now fail-closed (`=== 'development'`), 8 regression tests pass. Addressed all 3 code-review MINOR nits: updated stale `isDevEnvironment()` docstring/comment to match fail-closed behavior, and changed `env.nodeEnv` default from `'development'` to `'unknown'` so the unset case is consistent (no consumers string-compare `env.nodeEnv`, verified repo-wide). Test-file truncation was a diff artifact only — file is complete and compiles. Committed as 03cbcf7 and pushed to staging. No PR to merge — Larry's flow ships directly to the `staging` branch; a staging→main promotion is a separate deploy decision.

Luci Operator: promoted this assigned `inbox` ticket to `todo` so pickup can run it.