Harden security controls from REPORT findings

README.md

@@ -24,9 +24,9 @@ The default `docker compose` stack includes:
 - `frontend` - React UI (`http://localhost:5173`)
 - `api` - FastAPI backend (`http://localhost:8000`, docs at `/docs`)
 - `worker` - background processing jobs
-- `db` - PostgreSQL (`localhost:5432`)
-- `redis` - queue backend (`localhost:6379`)
-- `typesense` - search index (`localhost:8108`)
+- `db` - PostgreSQL (internal service network)
+- `redis` - queue backend (internal service network)
+- `typesense` - search index (internal service network)
 
 ## Requirements
 
@@ -42,6 +42,19 @@ From repository root:
 docker compose up --build -d
 ```
 
+Before first run, set required secrets and connection values in `.env` (or your shell):
+
+- `POSTGRES_USER`
+- `POSTGRES_PASSWORD`
+- `POSTGRES_DB`
+- `DATABASE_URL`
+- `REDIS_PASSWORD`
+- `REDIS_URL`
+- `ADMIN_API_TOKEN`
+- `USER_API_TOKEN`
+- `APP_SETTINGS_ENCRYPTION_KEY`
+- `TYPESENSE_API_KEY`
+
 Open:
 
 - Frontend: `http://localhost:5173`
@@ -102,13 +115,15 @@ cd frontend && npm run preview
 
 Main runtime variables are defined in `docker-compose.yml`:
 
-- API and worker: `DATABASE_URL`, `REDIS_URL`, `STORAGE_ROOT`, `PUBLIC_BASE_URL`, `CORS_ORIGINS`, `TYPESENSE_*`
-- Frontend: `VITE_API_BASE`
+- API and worker: `DATABASE_URL`, `REDIS_URL`, `REDIS_SECURITY_MODE`, `REDIS_TLS_MODE`, `STORAGE_ROOT`, `PUBLIC_BASE_URL`, `CORS_ORIGINS`, `ALLOW_DEVELOPMENT_ANONYMOUS_USER_ACCESS`, `TYPESENSE_*`, `APP_SETTINGS_ENCRYPTION_KEY`
+- Frontend: `VITE_API_BASE`, optional `VITE_API_TOKEN` compatibility fallback
 
 Application settings saved from the UI persist at:
 
 - `<STORAGE_ROOT>/settings.json` (inside the storage volume)
 
+Provider API keys are persisted encrypted at rest (`api_key_encrypted`) and are no longer written as plaintext values.
+
 Settings endpoints:
 
 - `GET/PUT /api/v1/settings`