From 504239f51061efdf23f2662ef80bc5d0aa6fce1f Mon Sep 17 00:00:00 2001
From: rabbitblood <hongmingwangrabbit@gmail.com>
Date: Mon, 20 Apr 2026 12:19:12 -0700
Subject: [PATCH] fix(canvas): add NEXT_PUBLIC_ADMIN_TOKEN + CSP_DEV_MODE to
 docker-compose

Canvas needs AdminAuth token to fetch /workspaces (gated since PR #729)
and CSP_DEV_MODE to allow cross-port fetches in local Docker.

These were added earlier but lost on nuke+rebuild because they weren't
committed to staging.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index a6d3ea2e..6659b7f0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -183,11 +183,14 @@ services:
       args:
         NEXT_PUBLIC_PLATFORM_URL: ${NEXT_PUBLIC_PLATFORM_URL:-http://localhost:${PLATFORM_PUBLISH_PORT:-8080}}
         NEXT_PUBLIC_WS_URL: ${NEXT_PUBLIC_WS_URL:-ws://localhost:${PLATFORM_PUBLISH_PORT:-8080}/ws}
+        NEXT_PUBLIC_ADMIN_TOKEN: ${ADMIN_TOKEN:-}
     depends_on:
       platform:
         condition: service_healthy
     environment:
       PORT: "${CANVAS_PORT:-3000}"
+      # Local dev — relaxes CSP to allow cross-port fetches (canvas:3000 → platform:8080).
+      CSP_DEV_MODE: "${CSP_DEV_MODE:-1}"
       # NOTE: NEXT_PUBLIC_* are baked into the JS bundle at `next build` time —
       # these runtime values are ignored by the standalone output. They're kept
       # here for documentation / override during `docker compose build`.