From 54c47cf7d21f368f3c1421a15379844749185ec5 Mon Sep 17 00:00:00 2001
From: yiekheng <yiekheng@04080616.xyz>
Date: Sun, 3 May 2026 08:26:11 +0800
Subject: [PATCH] feat(envs): add CM_AUTH_SECRET to all .env.example templates

---
 envs/dev/.env.example   | 5 +++++
 envs/rex/.env.example   | 5 +++++
 envs/siong/.env.example | 5 +++++
 3 files changed, 15 insertions(+)

diff --git a/envs/dev/.env.example b/envs/dev/.env.example
index 75d88e1..db4ae7d 100644
--- a/envs/dev/.env.example
+++ b/envs/dev/.env.example
@@ -6,6 +6,11 @@
 # === Runtime ===
 CM_DEBUG=true
 
+# === Auth (cm-web-next session signing) ===
+# 64-character hex (32 bytes). Generate with: openssl rand -hex 32
+# Rotating this secret invalidates all existing sessions (forces re-login).
+CM_AUTH_SECRET=devsecret-replace-with-openssl-rand-hex-32-for-real-deploys
+
 # === Deployment Identity ===
 CM_DEPLOY_NAME=dev-cm
 CM_WEB_HOST_PORT=8000
diff --git a/envs/rex/.env.example b/envs/rex/.env.example
index 2b37f8f..62b8721 100644
--- a/envs/rex/.env.example
+++ b/envs/rex/.env.example
@@ -37,3 +37,8 @@ CM_AGENT_ID=
 CM_AGENT_PASSWORD=
 CM_SECURITY_PIN=
 CM_BOT_BASE_URL=
+
+# === Auth (cm-web-next session signing) ===
+# 64-character hex (32 bytes). Generate with: openssl rand -hex 32
+# Rotating this secret invalidates all existing sessions (forces re-login).
+CM_AUTH_SECRET=
diff --git a/envs/siong/.env.example b/envs/siong/.env.example
index 00bcd3e..2698e0b 100644
--- a/envs/siong/.env.example
+++ b/envs/siong/.env.example
@@ -37,3 +37,8 @@ CM_AGENT_ID=
 CM_AGENT_PASSWORD=
 CM_SECURITY_PIN=
 CM_BOT_BASE_URL=
+
+# === Auth (cm-web-next session signing) ===
+# 64-character hex (32 bytes). Generate with: openssl rand -hex 32
+# Rotating this secret invalidates all existing sessions (forces re-login).
+CM_AUTH_SECRET=