fix: Handle empty FLASK_SECRET_KEY in config (v0.9.5)

os.getenv() returns empty string instead of using default when env var
is set but empty. This caused SECRET_KEY to be empty when FLASK_SECRET_KEY=""
was in .env, breaking Flask sessions/flash messages.

Now treats empty string same as unset, properly falling back to SESSION_SECRET.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.9.5] - 2025-11-23
+
+### Fixed
+- **SECRET_KEY empty string handling**: Fixed config.py to properly handle empty `FLASK_SECRET_KEY` environment variable
+  - `os.getenv()` returns empty string (not None) when env var is set to `""`
+  - Empty string now correctly falls back to SESSION_SECRET
+  - Prevents Flask session/flash failures when FLASK_SECRET_KEY="" in .env file
+
 ## [0.9.4] - 2025-11-22
 
 ### Fixed

starpunk/__init__.py

@@ -153,5 +153,5 @@ def create_app(config=None):
 
 # Package version (Semantic Versioning 2.0.0)
 # See docs/standards/versioning-strategy.md for details
-__version__ = "0.9.4"
+__version__ = "0.9.5"
-__version_info__ = (0, 9, 4)
+__version_info__ = (0, 9, 5)

starpunk/config.py

@@ -44,9 +44,9 @@ def load_config(app, config_override=None):
         )
 
     # Flask secret key (uses SESSION_SECRET by default)
-    app.config["SECRET_KEY"] = os.getenv(
+    # Note: We check for truthy value to handle empty string in .env
-        "FLASK_SECRET_KEY", app.config["SESSION_SECRET"]
+    flask_secret = os.getenv("FLASK_SECRET_KEY")
-    )
+    app.config["SECRET_KEY"] = flask_secret if flask_secret else app.config["SESSION_SECRET"]
 
     # Data paths
     app.config["DATA_PATH"] = Path(os.getenv("DATA_PATH", "./data"))