From 7aee5ed5bab1824892e9591726e01a2430ff2c21 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Sun, 15 Feb 2026 01:41:35 -0600
Subject: [PATCH] fix(devops): add CSRF_SECRET and ENCRYPTION_KEY to compose
 files

Both env vars were missing from the API service environment in
docker-compose.prod.yml and docker-compose.build.yml, causing the
CSRF_SECRET check to fail at startup even when set in .env.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker/docker-compose.build.yml | 3 +++
 docker/docker-compose.prod.yml  | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/docker/docker-compose.build.yml b/docker/docker-compose.build.yml
index 9a647a4..b6ca49e 100644
--- a/docker/docker-compose.build.yml
+++ b/docker/docker-compose.build.yml
@@ -383,6 +383,9 @@ services:
       JWT_EXPIRATION: ${JWT_EXPIRATION:-24h}
       # Better Auth
       BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
+      # Security
+      CSRF_SECRET: ${CSRF_SECRET}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
       # Ollama (optional)
       OLLAMA_ENDPOINT: ${OLLAMA_ENDPOINT:-http://ollama:11434}
       # OpenBao (optional)
diff --git a/docker/docker-compose.prod.yml b/docker/docker-compose.prod.yml
index ae1dcaa..01b637d 100644
--- a/docker/docker-compose.prod.yml
+++ b/docker/docker-compose.prod.yml
@@ -86,6 +86,8 @@ services:
       JWT_SECRET: ${JWT_SECRET}
       JWT_EXPIRATION: ${JWT_EXPIRATION:-24h}
       BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
+      CSRF_SECRET: ${CSRF_SECRET}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
       OLLAMA_ENDPOINT: ${OLLAMA_ENDPOINT:-http://ollama:11434}
     ports:
       - "${API_PORT:-3001}:${API_PORT:-3001}"