From 3babbf2ef7395e4dae0233d77c1ab3d85d9c24d9 Mon Sep 17 00:00:00 2001
From: Shantanu Mane <maneshantanu.20@gmail.com>
Date: Tue, 16 Jun 2026 21:49:27 +0530
Subject: [PATCH] fix(otel): default OTLP exporter to plaintext gRPC

- Invert OTEL_TLS_INSECURE default so unset means plaintext, not TLS
- Add parseTLSInsecure helper: only "false" opts into TLS
- Stop silent telemetry loss against the bundled plaintext collector
- Add unit tests for the env-var parsing
---
 internal/config/env.go      |  8 +++++++-
 internal/config/env_test.go | 26 ++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 internal/config/env_test.go

diff --git a/internal/config/env.go b/internal/config/env.go
index 2179c94..981812e 100644
--- a/internal/config/env.go
+++ b/internal/config/env.go
@@ -190,7 +190,7 @@ func GetEnvConfig(envFile string) (EnvConfig, error) {
 		},
 		Otel: OtelConfig{
 			Endpoint:          envOr("OTEL_EXPORTER_OTLP_ENDPOINT", "otel-collector:4317"),
-			TLSInsecure:       strings.ToLower(os.Getenv("OTEL_TLS_INSECURE")) == "true",
+			TLSInsecure:       parseTLSInsecure(os.Getenv("OTEL_TLS_INSECURE")),
 			DeploymentEnv:     envOr("DEPLOYMENT_ENV", env),
 			TraceSamplingRate: traceSamplingRate,
 			ServiceName:       envOr("SERVICE_NAME", "mpiper-api"),
@@ -210,6 +210,12 @@ func GetEnvConfig(envFile string) (EnvConfig, error) {
 	}, nil
 }
 
+// parseTLSInsecure defaults to plaintext (true); TLS is opt-in via OTEL_TLS_INSECURE=false.
+// The bundled collector speaks plaintext gRPC, so secure-by-default would silently drop all telemetry.
+func parseTLSInsecure(raw string) bool {
+	return strings.ToLower(strings.TrimSpace(raw)) != "false"
+}
+
 func envOr(key, def string) string {
 	if v := os.Getenv(key); v != "" {
 		return v
diff --git a/internal/config/env_test.go b/internal/config/env_test.go
new file mode 100644
index 0000000..cd67040
--- /dev/null
+++ b/internal/config/env_test.go
@@ -0,0 +1,26 @@
+package config
+
+import "testing"
+
+func TestParseTLSInsecure(t *testing.T) {
+	tests := []struct {
+		name string
+		raw  string
+		want bool
+	}{
+		{"unset defaults to plaintext", "", true},
+		{"explicit false enables TLS", "false", false},
+		{"uppercase FALSE enables TLS", "FALSE", false},
+		{"padded false enables TLS", "  false  ", false},
+		{"explicit true is plaintext", "true", true},
+		{"garbage value is plaintext", "yes", true},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			if got := parseTLSInsecure(tc.raw); got != tc.want {
+				t.Errorf("parseTLSInsecure(%q) = %v, want %v", tc.raw, got, tc.want)
+			}
+		})
+	}
+}