fix(devops): add CSRF_SECRET to all compose files

Added CSRF_SECRET to docker-compose.swarm.portainer.yml (the active
Portainer deployment) and both example compose files. Also added
ENCRYPTION_KEY to the example files where it was missing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.swarm.portainer.yml

@@ -291,6 +291,7 @@ services:
       JWT_SECRET: ${JWT_SECRET:-change-this-to-a-random-secret}
       JWT_EXPIRATION: ${JWT_EXPIRATION:-24h}
       BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
+      CSRF_SECRET: ${CSRF_SECRET}
       OLLAMA_ENDPOINT: ${OLLAMA_ENDPOINT:-http://ollama:11434}
       OPENBAO_ADDR: ${OPENBAO_ADDR:-http://openbao:8200}
       ENCRYPTION_KEY: ${ENCRYPTION_KEY}

docker/docker-compose.example.external.yml

@@ -115,6 +115,10 @@ services:
       OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
       OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
 
+      # Security
+      CSRF_SECRET: ${CSRF_SECRET}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
+
   # Web app remains unchanged
   # web: (uses defaults from docker-compose.yml)
 

docker/docker-compose.example.hybrid.yml

@@ -107,4 +107,8 @@ services:
       OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
       OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
 
+      # Security
+      CSRF_SECRET: ${CSRF_SECRET}
+      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
+
   # Web and Orchestrator use defaults from docker-compose.yml