fleet/server/dev_mode/dev_mode.go

package dev_mode

import (
	"os"
	"sync"
	"testing"
)

// IsEnabled should be configured once at process startup (e.g., via flags) and then treated as read-only.
// It must not be written from concurrent goroutines; SetOverride only affects enabledViaOverride/env overrides.
var IsEnabled bool

// enabledViaOverride is set by SetOverride and protected by mu so that it is
// always observed consistently with envOverrides.
var enabledViaOverride bool

var mu sync.RWMutex

var envOverrides = map[string]string{}

type GetEnv func(name string) string

func Env(name string) string {
	mu.RLock()
	defer mu.RUnlock()

	if !IsEnabled && !enabledViaOverride {
		return ""
	}

	if override, ok := envOverrides[name]; ok {
		return override
	}

	return os.Getenv(name)
}

func SetOverride(name string, value string, cleanup ...*testing.T) { // optional parameter to reset on test cleanup
	if len(cleanup) > 0 {
		cleanup[0].Setenv("FLEET_DEV_OVERRIDE_SET", "1") // triggers test deny-parallel check
		cleanup[0].Cleanup(func() {
			ClearOverride(name)
		})
	}

	mu.Lock()
	defer mu.Unlock()

	enabledViaOverride = true // if we're setting overrides, we're in a test environment so want to turn dev mode on
	envOverrides[name] = value
}

func ClearOverride(name string) {
	mu.Lock()
	defer mu.Unlock()

	delete(envOverrides, name)
}

func ClearAllOverrides() {
	mu.Lock()
	defer mu.Unlock()

	enabledViaOverride = false
	envOverrides = map[string]string{}
}
Only allow FLEET_DEV_* env vars when `--dev` is passed, allow overriding configs one at a time in dev (#38652) Resolves #38484. This includes a CI job change to make sure we don't introduce any more env vars that don't get proxied (and thus turned off outside `--dev`). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests Manual QA touched hot paths, but did _not_ manually test every FLEET_DEV_ environment variable change. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Centralized dev-mode environment management for consistent FLEET_DEV_* handling and test-friendly overrides. * Dev-mode allows targeted overrides for certain dev-only configuration when running with --dev. * Chores * Migrated environment access to the centralized dev-mode helper across the codebase. * Added CI checks to enforce proper usage of FLEET_DEV_* variables. * Documentation * Added guidance on dev-mode environment variable rules and overrides. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> 2026-01-27 20:32:56 +00:00			`package dev_mode`

			`import (`
			`"os"`
Add lock semantics around dev_mode.IsEnabled to avoid data races (#42646) Add lock semantics around dev_mode.IsEnabled to as a fix for [this](https://github.com/fleetdm/fleet/actions/runs/23728512273) data race 2026-03-31 11:49:45 +00:00			`"sync"`
Only allow FLEET_DEV_* env vars when `--dev` is passed, allow overriding configs one at a time in dev (#38652) Resolves #38484. This includes a CI job change to make sure we don't introduce any more env vars that don't get proxied (and thus turned off outside `--dev`). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests Manual QA touched hot paths, but did _not_ manually test every FLEET_DEV_ environment variable change. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Centralized dev-mode environment management for consistent FLEET_DEV_* handling and test-friendly overrides. * Dev-mode allows targeted overrides for certain dev-only configuration when running with --dev. * Chores * Migrated environment access to the centralized dev-mode helper across the codebase. * Added CI checks to enforce proper usage of FLEET_DEV_* variables. * Documentation * Added guidance on dev-mode environment variable rules and overrides. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> 2026-01-27 20:32:56 +00:00			`"testing"`
			`)`

Add lock semantics around dev_mode.IsEnabled to avoid data races (#42646) Add lock semantics around dev_mode.IsEnabled to as a fix for [this](https://github.com/fleetdm/fleet/actions/runs/23728512273) data race 2026-03-31 11:49:45 +00:00			`// IsEnabled should be configured once at process startup (e.g., via flags) and then treated as read-only.`
			`// It must not be written from concurrent goroutines; SetOverride only affects enabledViaOverride/env overrides.`
Only allow FLEET_DEV_* env vars when `--dev` is passed, allow overriding configs one at a time in dev (#38652) Resolves #38484. This includes a CI job change to make sure we don't introduce any more env vars that don't get proxied (and thus turned off outside `--dev`). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests Manual QA touched hot paths, but did _not_ manually test every FLEET_DEV_ environment variable change. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Centralized dev-mode environment management for consistent FLEET_DEV_* handling and test-friendly overrides. * Dev-mode allows targeted overrides for certain dev-only configuration when running with --dev. * Chores * Migrated environment access to the centralized dev-mode helper across the codebase. * Added CI checks to enforce proper usage of FLEET_DEV_* variables. * Documentation * Added guidance on dev-mode environment variable rules and overrides. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> 2026-01-27 20:32:56 +00:00			`var IsEnabled bool`

Add lock semantics around dev_mode.IsEnabled to avoid data races (#42646) Add lock semantics around dev_mode.IsEnabled to as a fix for [this](https://github.com/fleetdm/fleet/actions/runs/23728512273) data race 2026-03-31 11:49:45 +00:00			`// enabledViaOverride is set by SetOverride and protected by mu so that it is`
			`// always observed consistently with envOverrides.`
			`var enabledViaOverride bool`

			`var mu sync.RWMutex`

Only allow FLEET_DEV_* env vars when `--dev` is passed, allow overriding configs one at a time in dev (#38652) Resolves #38484. This includes a CI job change to make sure we don't introduce any more env vars that don't get proxied (and thus turned off outside `--dev`). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests Manual QA touched hot paths, but did _not_ manually test every FLEET_DEV_ environment variable change. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Centralized dev-mode environment management for consistent FLEET_DEV_* handling and test-friendly overrides. * Dev-mode allows targeted overrides for certain dev-only configuration when running with --dev. * Chores * Migrated environment access to the centralized dev-mode helper across the codebase. * Added CI checks to enforce proper usage of FLEET_DEV_* variables. * Documentation * Added guidance on dev-mode environment variable rules and overrides. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> 2026-01-27 20:32:56 +00:00			`var envOverrides = map[string]string{}`

			`type GetEnv func(name string) string`

			`func Env(name string) string {`
Add lock semantics around dev_mode.IsEnabled to avoid data races (#42646) Add lock semantics around dev_mode.IsEnabled to as a fix for [this](https://github.com/fleetdm/fleet/actions/runs/23728512273) data race 2026-03-31 11:49:45 +00:00			`mu.RLock()`
			`defer mu.RUnlock()`

			`if !IsEnabled && !enabledViaOverride {`
Only allow FLEET_DEV_* env vars when `--dev` is passed, allow overriding configs one at a time in dev (#38652) Resolves #38484. This includes a CI job change to make sure we don't introduce any more env vars that don't get proxied (and thus turned off outside `--dev`). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests Manual QA touched hot paths, but did _not_ manually test every FLEET_DEV_ environment variable change. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Centralized dev-mode environment management for consistent FLEET_DEV_* handling and test-friendly overrides. * Dev-mode allows targeted overrides for certain dev-only configuration when running with --dev. * Chores * Migrated environment access to the centralized dev-mode helper across the codebase. * Added CI checks to enforce proper usage of FLEET_DEV_* variables. * Documentation * Added guidance on dev-mode environment variable rules and overrides. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> 2026-01-27 20:32:56 +00:00			`return ""`
			`}`
Add lock semantics around dev_mode.IsEnabled to avoid data races (#42646) Add lock semantics around dev_mode.IsEnabled to as a fix for [this](https://github.com/fleetdm/fleet/actions/runs/23728512273) data race 2026-03-31 11:49:45 +00:00
Only allow FLEET_DEV_* env vars when `--dev` is passed, allow overriding configs one at a time in dev (#38652) Resolves #38484. This includes a CI job change to make sure we don't introduce any more env vars that don't get proxied (and thus turned off outside `--dev`). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests Manual QA touched hot paths, but did _not_ manually test every FLEET_DEV_ environment variable change. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Centralized dev-mode environment management for consistent FLEET_DEV_* handling and test-friendly overrides. * Dev-mode allows targeted overrides for certain dev-only configuration when running with --dev. * Chores * Migrated environment access to the centralized dev-mode helper across the codebase. * Added CI checks to enforce proper usage of FLEET_DEV_* variables. * Documentation * Added guidance on dev-mode environment variable rules and overrides. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> 2026-01-27 20:32:56 +00:00			`if override, ok := envOverrides[name]; ok {`
			`return override`
			`}`

			`return os.Getenv(name)`
			`}`

			`func SetOverride(name string, value string, cleanup ...*testing.T) { // optional parameter to reset on test cleanup`
			`if len(cleanup) > 0 {`
			`cleanup[0].Setenv("FLEET_DEV_OVERRIDE_SET", "1") // triggers test deny-parallel check`
			`cleanup[0].Cleanup(func() {`
			`ClearOverride(name)`
			`})`
			`}`

Add lock semantics around dev_mode.IsEnabled to avoid data races (#42646) Add lock semantics around dev_mode.IsEnabled to as a fix for [this](https://github.com/fleetdm/fleet/actions/runs/23728512273) data race 2026-03-31 11:49:45 +00:00			`mu.Lock()`
			`defer mu.Unlock()`

			`enabledViaOverride = true // if we're setting overrides, we're in a test environment so want to turn dev mode on`
Only allow FLEET_DEV_* env vars when `--dev` is passed, allow overriding configs one at a time in dev (#38652) Resolves #38484. This includes a CI job change to make sure we don't introduce any more env vars that don't get proxied (and thus turned off outside `--dev`). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests Manual QA touched hot paths, but did _not_ manually test every FLEET_DEV_ environment variable change. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Centralized dev-mode environment management for consistent FLEET_DEV_* handling and test-friendly overrides. * Dev-mode allows targeted overrides for certain dev-only configuration when running with --dev. * Chores * Migrated environment access to the centralized dev-mode helper across the codebase. * Added CI checks to enforce proper usage of FLEET_DEV_* variables. * Documentation * Added guidance on dev-mode environment variable rules and overrides. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> 2026-01-27 20:32:56 +00:00			`envOverrides[name] = value`
			`}`

			`func ClearOverride(name string) {`
Add lock semantics around dev_mode.IsEnabled to avoid data races (#42646) Add lock semantics around dev_mode.IsEnabled to as a fix for [this](https://github.com/fleetdm/fleet/actions/runs/23728512273) data race 2026-03-31 11:49:45 +00:00			`mu.Lock()`
			`defer mu.Unlock()`

Only allow FLEET_DEV_* env vars when `--dev` is passed, allow overriding configs one at a time in dev (#38652) Resolves #38484. This includes a CI job change to make sure we don't introduce any more env vars that don't get proxied (and thus turned off outside `--dev`). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests Manual QA touched hot paths, but did _not_ manually test every FLEET_DEV_ environment variable change. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Centralized dev-mode environment management for consistent FLEET_DEV_* handling and test-friendly overrides. * Dev-mode allows targeted overrides for certain dev-only configuration when running with --dev. * Chores * Migrated environment access to the centralized dev-mode helper across the codebase. * Added CI checks to enforce proper usage of FLEET_DEV_* variables. * Documentation * Added guidance on dev-mode environment variable rules and overrides. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> 2026-01-27 20:32:56 +00:00			`delete(envOverrides, name)`
			`}`

			`func ClearAllOverrides() {`
Add lock semantics around dev_mode.IsEnabled to avoid data races (#42646) Add lock semantics around dev_mode.IsEnabled to as a fix for [this](https://github.com/fleetdm/fleet/actions/runs/23728512273) data race 2026-03-31 11:49:45 +00:00			`mu.Lock()`
			`defer mu.Unlock()`

			`enabledViaOverride = false`
Only allow FLEET_DEV_* env vars when `--dev` is passed, allow overriding configs one at a time in dev (#38652) Resolves #38484. This includes a CI job change to make sure we don't introduce any more env vars that don't get proxied (and thus turned off outside `--dev`). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT ` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests Manual QA touched hot paths, but did _not_ manually test every FLEET_DEV_ environment variable change. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Centralized dev-mode environment management for consistent FLEET_DEV_* handling and test-friendly overrides. * Dev-mode allows targeted overrides for certain dev-only configuration when running with --dev. * Chores * Migrated environment access to the centralized dev-mode helper across the codebase. * Added CI checks to enforce proper usage of FLEET_DEV_* variables. * Documentation * Added guidance on dev-mode environment variable rules and overrides. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com> 2026-01-27 20:32:56 +00:00			`envOverrides = map[string]string{}`
			`}`