valley-commons/backlog/tasks/task-3 - Migrate-Docker-secrets-to-Infisical.md

id	title	status	assignee	created_date	labels	dependencies	priority
TASK-3	Migrate Docker secrets to Infisical	Done		2026-03-01 18:43	security infrastructure		high

Description

Replace hardcoded secrets in docker-compose.yml with Infisical runtime secret injection. Add entrypoint.sh wrapper that authenticates with Infisical and exports secrets before starting Node.js server.

Final Summary

• Replaced all hardcoded env vars in docker-compose.yml with Infisical injection (only INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET, and INFISICAL_PROJECT_SLUG remain in compose)
• Created entrypoint.sh that authenticates with Infisical API and exports secrets at container startup
• Updated Dockerfile with ENTRYPOINT wrapper
• Externalized POSTGRES_PASSWORD to .env
• Commit: f1a4da7