feat: validate environment configuration with dotenv and zod

src/config.js

@@ -1,5 +1,9 @@
 "use strict";
 
+require("dotenv").config({ quiet: true });
+
+const { z } = require("zod");
+
 function intFromEnv(name, fallback) {
   const raw = process.env[name];
   if (!raw) {
@@ -15,7 +19,7 @@ function strFromEnv(name, fallback) {
   return raw && String(raw).trim() ? String(raw).trim() : fallback;
 }
 
-const config = {
+const parsed = {
   port: intFromEnv("PORT", 3000),
   stateFilePath: strFromEnv("STATE_FILE_PATH", "./data/state.json"),
   xWebhookSecret: process.env.X_WEBHOOK_SECRET || "dev-x-secret",
@@ -34,6 +38,27 @@ const config = {
   },
 };
 
+const ConfigSchema = z.object({
+  port: z.number().int().positive(),
+  stateFilePath: z.string().min(1),
+  xWebhookSecret: z.string().min(1),
+  polarWebhookSecret: z.string().min(1),
+  rateLimits: z.object({
+    webhookPerMinute: z.number().int().positive(),
+    authPerMinute: z.number().int().positive(),
+    actionPerMinute: z.number().int().positive(),
+  }),
+  credit: z.object({
+    baseCredits: z.number().int().positive(),
+    includedChars: z.number().int().positive(),
+    stepChars: z.number().int().positive(),
+    stepCredits: z.number().int().positive(),
+    maxCharsPerArticle: z.number().int().positive(),
+  }),
+});
+
+const config = ConfigSchema.parse(parsed);
+
 module.exports = {
   config,
 };