sec: warn on plaintext SCHEDULED_TASK_SECRET when secret-name path is active

[cristim]

Summary

• Fixes resolveScheduledTaskSecret in internal/server/app.go to prefer the secret-store path when SCHEDULED_TASK_SECRET_NAME is set, instead of silently returning the plaintext value
• Adds a SECURITY WARNING log message at startup when both SCHEDULED_TASK_SECRET (plaintext, visible in Lambda env / Terraform state) and SCHEDULED_TASK_SECRET_NAME are configured together
• Four new regression tests covering both-set (secret-store wins), plaintext-only dev path, resolver-error fallback, and standard prod path

The previous behaviour silently bypassed the Secrets Manager lookup whenever the plaintext variable was non-empty, making the production bearer-mode path identical to the dev path even in AWS Lambda deployments.

Closes #451

[coderabbitai]

Warning

Rate limit exceeded

@cristim has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 28 minutes and 9 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e9aa4afd-c483-46cf-9c22-3775bad9582d

📥 Commits

Reviewing files that changed from the base of the PR and between bc8831b and 367314c.

📒 Files selected for processing (2)

• internal/server/app.go
• internal/server/app_test.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/451-scheduled-task-secret-guard

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.