fix: resolve lightrag crash-loop by setting required TOKEN_SECRET

Recent ghcr.io/hkuds/lightrag releases validate auth config at startup
and refuse to boot with `TOKEN_SECRET must be explicitly set to a
non-default value when AUTH_ACCOUNTS is configured`. The container
crash-looped and Caddy returned 502.

Generate LIGHTRAG_TOKEN_SECRET (secret:64) and pass it as TOKEN_SECRET
to the lightrag container. Existing installations pick it up on
`make update` via 03_generate_secrets.sh --update.

Release 1.4.3.

Closes #60

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.env.example

@@ -279,11 +279,13 @@ RAGAPP_PASSWORD=
 # LightRAG credentials (for built-in authentication)
 # Username and password for web interface login
 # API key for programmatic access to the API
+# Token secret signs JWTs issued on web login (required when AUTH_ACCOUNTS is set)
 ############
 
 LIGHTRAG_USERNAME=
 LIGHTRAG_PASSWORD=
 LIGHTRAG_API_KEY=
+LIGHTRAG_TOKEN_SECRET=
 
    #
    #

CHANGELOG.md

@@ -2,10 +2,16 @@
 
 ## [Unreleased]
 
+## [1.4.3] - 2026-04-27
+
+### Fixed
+- **LightRAG** - Fix crash-loop (`TOKEN_SECRET must be explicitly set`) by generating `LIGHTRAG_TOKEN_SECRET` and passing it as `TOKEN_SECRET` to the container. Recent upstream releases require an explicit JWT signing secret whenever `AUTH_ACCOUNTS` is configured (#60).
+
 ## [1.4.2] - 2026-03-28
 
 ### Fixed
 - **n8n** - Make `N8N_PAYLOAD_SIZE_MAX` configurable via `.env` (was hardcoded to 256, ignoring user overrides)
+- **Uptime Kuma** - Fix healthcheck failure (`wget: not found`) by switching to Node.js-based check
 
 ## [1.4.1] - 2026-03-23
 

VERSION

@@ -1 +1 @@
-1.4.2
+1.4.3

docker-compose.yml

@@ -1184,6 +1184,7 @@ services:
       # Authentication (Built-in)
       AUTH_ACCOUNTS: ${LIGHTRAG_USERNAME}:${LIGHTRAG_PASSWORD}
       LIGHTRAG_API_KEY: ${LIGHTRAG_API_KEY}
+      TOKEN_SECRET: ${LIGHTRAG_TOKEN_SECRET}
       # LLM Configuration (Ollama)
       LLM_BINDING: ollama
       LLM_MODEL: qwen2.5:32b
@@ -1291,7 +1292,7 @@ services:
     volumes:
       - uptime_kuma_data:/app/data
     healthcheck:
-      test: ["CMD-SHELL", "http_proxy= https_proxy= HTTP_PROXY= HTTPS_PROXY= wget -qO- http://localhost:3001/ || exit 1"]
+      test: ["CMD-SHELL", "node -e \"const http=require('http');const r=http.get('http://localhost:3001',res=>{process.exit(res.statusCode<400?0:1)});r.on('error',()=>process.exit(1));r.setTimeout(5000,()=>{r.destroy();process.exit(1)})\""]
       interval: 30s
       timeout: 10s
       retries: 5

scripts/03_generate_secrets.sh

@@ -93,6 +93,7 @@ declare -A VARS_TO_GENERATE=(
     ["LETTA_SERVER_PASSWORD"]="password:32" # Added Letta server password
     ["LIGHTRAG_API_KEY"]="secret:48"
     ["LIGHTRAG_PASSWORD"]="password:32"
+    ["LIGHTRAG_TOKEN_SECRET"]="secret:64" # JWT signing secret (required when AUTH_ACCOUNTS is set)
     ["LOGFLARE_PRIVATE_ACCESS_TOKEN"]="fixed:not-in-use" # For supabase-vector, can't be empty
     ["LOGFLARE_PUBLIC_ACCESS_TOKEN"]="fixed:not-in-use" # For supabase-vector, can't be empty
     ["LT_PASSWORD"]="password:32" # Added LibreTranslate basic auth password