feat: add internal API key for rSpace service-to-service auth

pushShapesToCanvas now sends X-Internal-Key header from
RSPACE_INTERNAL_KEY env var for authenticated canvas writes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -10,6 +10,7 @@ services:
       - NEXT_PUBLIC_RSPACE_URL=${NEXT_PUBLIC_RSPACE_URL:-https://rspace.online}
       - RSPACE_INTERNAL_URL=${RSPACE_INTERNAL_URL:-http://rspace-online:3000}
       - NEXT_PUBLIC_ENCRYPTID_SERVER_URL=${NEXT_PUBLIC_ENCRYPTID_SERVER_URL:-https://encryptid.jeffemmett.com}
+      - RSPACE_INTERNAL_KEY=${RSPACE_INTERNAL_KEY}
     volumes:
       - uploads_data:/app/uploads
     labels:

src/lib/canvas-sync.ts

@@ -23,10 +23,17 @@ export async function pushShapesToCanvas(
   rspaceUrl?: string
 ): Promise<void> {
   const baseUrl = rspaceUrl || process.env.RSPACE_INTERNAL_URL || 'http://rspace-online:3000';
+  const headers: Record<string, string> = { 'Content-Type': 'application/json' };
+
+  // Use internal API key for service-to-service auth
+  const internalKey = process.env.RSPACE_INTERNAL_KEY;
+  if (internalKey) {
+    headers['X-Internal-Key'] = internalKey;
+  }
 
   const response = await fetch(`${baseUrl}/api/communities/${canvasSlug}/shapes`, {
     method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
+    headers,
     body: JSON.stringify({ shapes }),
   });