From e5c9c770d0c6f6ed4572fcf6f6cc77ef868bf808 Mon Sep 17 00:00:00 2001
From: Zac Gaetano <zacgaetano@Zacs-M3-Max-128gb.local>
Date: Wed, 27 May 2026 19:15:58 -0400
Subject: [PATCH] fix(compose): plumb TRUST_PROXY + ALLOWED_ORIGINS through to
 mam-api container
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Task 18 documented the two new env vars in .env.example and README but never
added them to docker-compose.yml's mam-api environment block. Without that,
the vars in .env never reach the container — so AUTH_ENABLED=true was running
with effective TRUST_PROXY=false (req.ip = proxy IP, rate-limit collapses to
per-proxy bucket) and ALLOWED_ORIGINS unset (CORS allows any origin).
---
 docker-compose.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 299a44d..9f7ebbe 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -55,6 +55,8 @@ services:
       S3_REGION: ${S3_REGION:-us-east-1}
       SESSION_SECRET: ${SESSION_SECRET}
       AUTH_ENABLED: ${AUTH_ENABLED:-false}
+      TRUST_PROXY: ${TRUST_PROXY:-false}
+      ALLOWED_ORIGINS: ${ALLOWED_ORIGINS:-}
       DOCKER_NETWORK: wild-dragon_wild-dragon
       NODE_IP: ${NODE_IP}
       NODE_HOSTNAME: ${NODE_HOSTNAME:-}