chore: wire SECRET_KEY + COOKIE_SECURE env pass-throughs in compose; flesh out changelog upgrade notes

2026-06-16 18:53:42 +00:00
parent 766f64f35f
commit b536877566
2 changed files with 8 additions and 1 deletions
@@ -11,6 +11,13 @@ services:
      - ENVIRONMENT=production
      - SLMM_BASE_URL=http://host.docker.internal:8100
      - SFM_BASE_URL=http://sfm:8200
+      # Client-portal session-cookie signing. Set SECRET_KEY to a real secret (e.g.
+      # in a .env file beside this compose) BEFORE the portal faces the internet —
+      # the dev default is public/forgeable and logs a warning at boot. Set
+      # COOKIE_SECURE=true once served over HTTPS (leave false on plain HTTP, or the
+      # browser won't send the cookie and the portal breaks).
+      - SECRET_KEY=${SECRET_KEY:-dev-insecure-change-me}
+      - COOKIE_SECURE=${COOKIE_SECURE:-false}
      # Display timezone for server logs + any text-rendered timestamps.
      # DB columns are stored UTC regardless; this only affects what
      # operators see.  Override here for non-US-East deployments.