§9 prod compose secrets (todo §9); the base compose.yml was already the full prod stack (web + Postgres + Kratos/Keto/Hydra + migrations + bootstrap, no source mount) but set REQUIRE_SECURE_SECRETS=true without ever passing CSRF_SECRET into web, so docker compose -f compose.yml up couldn't boot. Wired CSRF_SECRET: ${CSRF_SECRET:-dev-insecure-csrf-secret} — env-supplied with the throwaway as the only fallback; config.ts's existing REQUIRE_SECURE_SECRETS logic rejects that throwaway so a forgotten prod secret fails loud (verified prod-unset→reject, prod-set→real, dev→throwaway+toggle-off→boots). Used :- not :? because compose interpolates the base per-file before merging the dev override (confirmed empirically), so :? would also break the zero-config dev up. Tests-first: compose.test.ts guards secret-via-env + no-source-mount + prod/dev toggle split + postgres-creds-via-env. README prod section corrected (dropped the stale planned note). typecheck + 310 units green.

README.md

@@ -568,7 +568,11 @@ request, because the session lives in Kratos and the data lives upstream.
 docker compose -f compose.yml up --build -d   # base config only, no source mount
 ```
 
-_(Production compose grows to include the Ory services and Postgres — planned.)_
+`compose.yml` is the full prod stack — web + Postgres + the three Ory services
+(Kratos/Keto/Hydra, with migrations + the one-shot bootstrap) — and mounts no source.
+Secrets come from the environment (`CSRF_SECRET`, `POSTGRES_USER`/`POSTGRES_PASSWORD`); the
+base already sets `REQUIRE_SECURE_SECRETS=true`, so a missing or dev-throwaway `CSRF_SECRET`
+fails the boot rather than running insecure.
 
 Before going live, supply the production secrets and any SSO credentials — the **only**
 manual prep ([What you must supply](#what-you-must-supply-the-only-manual-prep)); the rest