From 9510e9623171a4e95c95d411554cf3906b6c8cf0 Mon Sep 17 00:00:00 2001 From: le king fu Date: Sun, 3 May 2026 15:54:07 -0400 Subject: [PATCH] docs: warn HEALTH_TOKEN must be runtime-only on Coolify MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add inline warning in .env.example and CLAUDE.md Auth section: HEALTH_TOKEN is read at runtime only — passing it as Coolify build ARG leaks the secret in clear in application_deployment_queues.logs. Refs #4 Co-Authored-By: Claude Opus 4.7 (1M context) --- .env.example | 3 +++ CLAUDE.md | 1 + 2 files changed, 4 insertions(+) diff --git a/.env.example b/.env.example index 628d8a9..1dab141 100644 --- a/.env.example +++ b/.env.example @@ -1,3 +1,6 @@ PORT=3001 +# HEALTH_TOKEN is read at runtime only (process.env at startup). +# On Coolify: MUST be is_runtime=true, is_buildtime=false. +# Buildtime ARG leaks the secret in clear in application_deployment_queues.logs. HEALTH_TOKEN=change-me-to-a-strong-secret LOGTO_HEALTH_URL=https://auth.lacompagniemaximus.com/oidc/.well-known/openid-configuration diff --git a/CLAUDE.md b/CLAUDE.md index 523c17d..a3409a7 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -11,6 +11,7 @@ API sante minimaliste pour le VPS. ~127 lignes, Node 22 + HTTP natif. - Bearer token via env `HEALTH_TOKEN` - Fail-closed : si `HEALTH_TOKEN` non configure, toutes les requetes sont refusees +- **Coolify** : `HEALTH_TOKEN` doit etre `is_runtime=true, is_buildtime=false`. Buildtime fait fuiter le secret en clair dans `application_deployment_queues.logs`. Voir `la-compagnie-maximus/docs/coolify-ops.md` section "Secrets en buildtime". ## Config -- 2.45.2