Merge PR #5 : docs: warn HEALTH_TOKEN must be runtime-only on Coolify

docs: warn HEALTH_TOKEN must be runtime-only on Coolify
Add inline warning in .env.example and CLAUDE.md Auth section: HEALTH_TOKEN is read at runtime only — passing it as Coolify build ARG leaks the secret in clear in application_deployment_queues.logs. Refs #4 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 20:12:24 +00:00 · 2026-05-03 15:54:07 -04:00
2 changed files with 4 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@ -1,3 +1,6 @@
 PORT=3001
 # HEALTH_TOKEN is read at runtime only (process.env at startup).
 # On Coolify: MUST be is_runtime=true, is_buildtime=false.
 # Buildtime ARG leaks the secret in clear in application_deployment_queues.logs.
 HEALTH_TOKEN=change-me-to-a-strong-secret
 LOGTO_HEALTH_URL=https://auth.lacompagniemaximus.com/oidc/.well-known/openid-configuration
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -11,6 +11,7 @@ API sante minimaliste pour le VPS. ~127 lignes, Node 22 + HTTP natif.
 - Bearer token via env `HEALTH_TOKEN`
 - Fail-closed : si `HEALTH_TOKEN` non configure, toutes les requetes sont refusees
 - **Coolify** : `HEALTH_TOKEN` doit etre `is_runtime=true, is_buildtime=false`. Buildtime fait fuiter le secret en clair dans `application_deployment_queues.logs`. Voir `la-compagnie-maximus/docs/coolify-ops.md` section "Secrets en buildtime".
 ## Config