From dfe89b7a3ba6ea907d75099fa22c5a7675949c63 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Sun, 15 Feb 2026 01:44:45 -0600
Subject: [PATCH] fix(devops): add CSRF_SECRET to all compose files

Added CSRF_SECRET to docker-compose.swarm.portainer.yml (the active
Portainer deployment) and both example compose files. Also added
ENCRYPTION_KEY to the example files where it was missing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker-compose.swarm.portainer.yml         | 1 +
 docker/docker-compose.example.external.yml | 4 ++++
 docker/docker-compose.example.hybrid.yml   | 4 ++++
 3 files changed, 9 insertions(+)

diff --git a/docker-compose.swarm.portainer.yml b/docker-compose.swarm.portainer.yml
index 217c04c..855d15d 100644
--- a/docker-compose.swarm.portainer.yml
+++ b/docker-compose.swarm.portainer.yml
@@ -291,6 +291,7 @@ services:
       JWT_SECRET: ${JWT_SECRET:-change-this-to-a-random-secret}
       JWT_EXPIRATION: ${JWT_EXPIRATION:-24h}
       BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
+      CSRF_SECRET: ${CSRF_SECRET}
       OLLAMA_ENDPOINT: ${OLLAMA_ENDPOINT:-http://ollama:11434}
       OPENBAO_ADDR: ${OPENBAO_ADDR:-http://openbao:8200}
       ENCRYPTION_KEY: ${ENCRYPTION_KEY}
diff --git a/docker/docker-compose.example.external.yml b/docker/docker-compose.example.external.yml
index 9d46fbb..bbbb9e4 100644
--- a/docker/docker-compose.example.external.yml
+++ b/docker/docker-compose.example.external.yml
@@ -115,6 +115,10 @@ services:
       OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
       OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
 
+      # Security
+      CSRF_SECRET: ${CSRF_SECRET}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
+
   # Web app remains unchanged
   # web: (uses defaults from docker-compose.yml)
 
diff --git a/docker/docker-compose.example.hybrid.yml b/docker/docker-compose.example.hybrid.yml
index ac1fefa..93de773 100644
--- a/docker/docker-compose.example.hybrid.yml
+++ b/docker/docker-compose.example.hybrid.yml
@@ -107,4 +107,8 @@ services:
       OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
       OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
 
+      # Security
+      CSRF_SECRET: ${CSRF_SECRET}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
+
   # Web and Orchestrator use defaults from docker-compose.yml