fix: let docker-compose env vars take precedence over Infisical

Uses ${VAR:-default} pattern so pre-set env vars (from .env or
docker-compose) are not overwritten by Infisical values. Useful
when a secret needs regeneration but Infisical can't be updated
via the read-only machine identity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

entrypoint.sh

@@ -34,7 +34,8 @@ fetch_secrets() {
 
     for (const s of secrets.secrets) {
       const escaped = s.secretValue.replace(/'/g, \"'\\\\''\" );
-      console.log('export ' + s.secretKey + \"='\" + escaped + \"'\");
+      // Only set if not already defined (docker-compose env takes precedence)
+      console.log('export ' + s.secretKey + \"=\\${\" + s.secretKey + \":-'\" + escaped + \"'}\");
     }
   } catch (e) { console.error('[infisical:$5] Error:', e.message); process.exit(1); }
 })();