From 4be249a57b723c3cb7cf481cad4896368c2a60f9 Mon Sep 17 00:00:00 2001
From: Michael Schiemer <kontakt@michaelschiemer.de>
Date: Mon, 3 Nov 2025 00:57:20 +0100
Subject: [PATCH] fix: Normalize Docker Secret file paths to support both
 formats

- Handle paths like /redis_password and convert to /run/secrets/redis_password
- Docker Swarm may set *_FILE variables with just the secret name
- Add file permission debugging to diagnose read issues
- Should fix issue where REDIS_PASSWORD_FILE points to /redis_password instead of /run/secrets/redis_password
---
 src/Framework/Config/DockerSecretsResolver.php |  9 +++++++++
 src/Framework/Core/AppBootstrapper.php         | 11 ++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/Framework/Config/DockerSecretsResolver.php b/src/Framework/Config/DockerSecretsResolver.php
index 0fb84ad2..09d826f4 100644
--- a/src/Framework/Config/DockerSecretsResolver.php
+++ b/src/Framework/Config/DockerSecretsResolver.php
@@ -44,6 +44,15 @@ final readonly class DockerSecretsResolver
         }
 
         try {
+            // Normalize file path: if path doesn't start with /run/secrets, prepend it
+            // This handles Docker Swarm secrets which may only provide the secret name
+            // Example: /redis_password -> /run/secrets/redis_password
+            if (!str_starts_with($filePath, '/run/secrets/') && str_starts_with($filePath, '/')) {
+                // Path starts with / but not /run/secrets/, likely a secret name
+                $secretName = ltrim($filePath, '/');
+                $filePath = '/run/secrets/' . $secretName;
+            }
+
             $file = FilePath::create($filePath);
 
             if (!$file->exists() || !$file->isReadable()) {
diff --git a/src/Framework/Core/AppBootstrapper.php b/src/Framework/Core/AppBootstrapper.php
index 110e7aa4..36ea1243 100644
--- a/src/Framework/Core/AppBootstrapper.php
+++ b/src/Framework/Core/AppBootstrapper.php
@@ -104,9 +104,14 @@ final readonly class AppBootstrapper
         error_log("Expected file path: $expectedFile");
         error_log("File exists: " . (file_exists($expectedFile) ? 'YES' : 'NO'));
         error_log("File readable: " . (is_readable($expectedFile) ? 'YES' : 'NO'));
-        if (file_exists($expectedFile) && is_readable($expectedFile)) {
-            $content = file_get_contents($expectedFile);
-            error_log("File content length: " . strlen($content ?? ''));
+        if (file_exists($expectedFile)) {
+            error_log("File permissions: " . substr(sprintf('%o', fileperms($expectedFile)), -4));
+            error_log("File owner: " . fileowner($expectedFile));
+            error_log("Current process user: " . getmyuid());
+            if (is_readable($expectedFile)) {
+                $content = file_get_contents($expectedFile);
+                error_log("File content length: " . strlen($content ?? ''));
+            }
         }
         error_log("------------------------------------");