From 3be4f71e22ee8561f677f07c389a3d8a40c962e5 Mon Sep 17 00:00:00 2001
From: Cal Corum <calcorum@users.noreply.github.com>
Date: Thu, 26 Mar 2026 23:15:21 -0500
Subject: [PATCH] fix: move hardcoded Discord webhook URL to environment
 variable

Replace inline webhook URL+token with DISCORD_WEBHOOK_URL env var.
Logs a warning and returns False gracefully if the var is unset.

The exposed webhook token should be rotated in Discord.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 app/dependencies.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/app/dependencies.py b/app/dependencies.py
index 6441155..fe78a00 100644
--- a/app/dependencies.py
+++ b/app/dependencies.py
@@ -503,6 +503,9 @@ def update_season_pitching_stats(player_ids, season, db_connection):
         raise
 
 
+DISCORD_WEBHOOK_URL = os.environ.get("DISCORD_WEBHOOK_URL")
+
+
 def send_webhook_message(message: str) -> bool:
     """
     Send a message to Discord via webhook.
@@ -513,7 +516,12 @@ def send_webhook_message(message: str) -> bool:
     Returns:
         bool: True if successful, False otherwise
     """
-    webhook_url = "https://discord.com/api/webhooks/1408811717424840876/7RXG_D5IqovA3Jwa9YOobUjVcVMuLc6cQyezABcWuXaHo5Fvz1en10M7J43o3OJ3bzGW"
+    webhook_url = DISCORD_WEBHOOK_URL
+    if not webhook_url:
+        logger.warning(
+            "DISCORD_WEBHOOK_URL env var is not set — skipping webhook message"
+        )
+        return False
 
     try:
         payload = {"content": message}