feat: enable SQLite WAL mode for all databases (AGI ticket #1) (#153)

src/config.py

@@ -1,3 +1,6 @@
+import logging as _logging
+import os
+import sys
 from typing import Literal
 
 from pydantic_settings import BaseSettings, SettingsConfigDict
@@ -339,37 +342,50 @@ def get_effective_ollama_model() -> str:
 
 
 # ── Startup validation ───────────────────────────────────────────────────────
-# Enforce security requirements — fail fast in production.
-import logging as _logging
-import sys
-
 _startup_logger = _logging.getLogger("config")
+_startup_validated = False
 
-# Production mode: require secrets to be set
-if settings.timmy_env == "production":
-    _missing = []
-    if not settings.l402_hmac_secret:
-        _missing.append("L402_HMAC_SECRET")
-    if not settings.l402_macaroon_secret:
-        _missing.append("L402_MACAROON_SECRET")
-    if _missing:
-        _startup_logger.error(
-            "PRODUCTION SECURITY ERROR: The following secrets must be set: %s\n"
-            'Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"\n'
-            "Set in .env file or environment variables.",
-            ", ".join(_missing),
-        )
-        sys.exit(1)
-    _startup_logger.info("Production mode: security secrets validated ✓")
-else:
-    # Development mode: warn but continue
-    if not settings.l402_hmac_secret:
-        _startup_logger.warning(
-            "SEC: L402_HMAC_SECRET is not set — "
-            "set a unique secret in .env before deploying to production."
-        )
-    if not settings.l402_macaroon_secret:
-        _startup_logger.warning(
-            "SEC: L402_MACAROON_SECRET is not set — "
-            "set a unique secret in .env before deploying to production."
-        )
+
+def validate_startup(*, force: bool = False) -> None:
+    """Enforce security requirements — call from app entry points, not import.
+
+    Skipped in test mode (TIMMY_TEST_MODE=1) unless force=True.
+    In production: sys.exit(1) if required secrets are missing.
+    In development: log warnings only.
+    """
+    global _startup_validated
+    if _startup_validated and not force:
+        return
+
+    if os.environ.get("TIMMY_TEST_MODE") == "1" and not force:
+        _startup_validated = True
+        return
+
+    if settings.timmy_env == "production":
+        _missing = []
+        if not settings.l402_hmac_secret:
+            _missing.append("L402_HMAC_SECRET")
+        if not settings.l402_macaroon_secret:
+            _missing.append("L402_MACAROON_SECRET")
+        if _missing:
+            _startup_logger.error(
+                "PRODUCTION SECURITY ERROR: The following secrets must be set: %s\n"
+                'Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"\n'
+                "Set in .env file or environment variables.",
+                ", ".join(_missing),
+            )
+            sys.exit(1)
+        _startup_logger.info("Production mode: security secrets validated ✓")
+    else:
+        if not settings.l402_hmac_secret:
+            _startup_logger.warning(
+                "SEC: L402_HMAC_SECRET is not set — "
+                "set a unique secret in .env before deploying to production."
+            )
+        if not settings.l402_macaroon_secret:
+            _startup_logger.warning(
+                "SEC: L402_MACAROON_SECRET is not set — "
+                "set a unique secret in .env before deploying to production."
+            )
+
+    _startup_validated = True