chore(auth): wire OPERATOR_AUTH_ENABLED into compose + changelog

2026-06-17 20:17:01 +00:00
parent dc95a59dfa
commit 054eebe68b
2 changed files with 5 additions and 0 deletions
@@ -18,6 +18,10 @@ services:
      # browser won't send the cookie and the portal breaks).
      - SECRET_KEY=${SECRET_KEY:-dev-insecure-change-me}
      - COOKIE_SECURE=${COOKIE_SECURE:-false}
+      # Operator login gate. Leave false to ship dark; seed a superadmin via
+      # backend/operator_admin.py, confirm you can log in, THEN set true to enforce.
+      # Instant escape hatch: set back to false. See docs/superpowers/specs/2026-06-17-operator-auth-design.md
+      - OPERATOR_AUTH_ENABLED=${OPERATOR_AUTH_ENABLED:-false}
      # Display timezone for server logs + any text-rendered timestamps.
      # DB columns are stored UTC regardless; this only affects what
      # operators see.  Override here for non-US-East deployments.