fix(devops): add CSRF_SECRET and ENCRYPTION_KEY to compose files

Both env vars were missing from the API service environment in
docker-compose.prod.yml and docker-compose.build.yml, causing the
CSRF_SECRET check to fail at startup even when set in .env.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker/docker-compose.build.yml

@@ -383,6 +383,9 @@ services:
       JWT_EXPIRATION: ${JWT_EXPIRATION:-24h}
       # Better Auth
       BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
+      # Security
+      CSRF_SECRET: ${CSRF_SECRET}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
       # Ollama (optional)
       OLLAMA_ENDPOINT: ${OLLAMA_ENDPOINT:-http://ollama:11434}
       # OpenBao (optional)

docker/docker-compose.prod.yml

@@ -86,6 +86,8 @@ services:
       JWT_SECRET: ${JWT_SECRET}
       JWT_EXPIRATION: ${JWT_EXPIRATION:-24h}
       BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
+      CSRF_SECRET: ${CSRF_SECRET}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
       OLLAMA_ENDPOINT: ${OLLAMA_ENDPOINT:-http://ollama:11434}
     ports:
       - "${API_PORT:-3001}:${API_PORT:-3001}"