fix: resolve SESSION_SECRET lazily to unblock production build (#29)

PR #20 removed the insecure SESSION_SECRET fallback by throwing at
module import when the env var is unset. But `next build` imports API
route modules during "Collecting page data", so the top-level throw
broke every deploy after #20 (build failed at /api/auth/me with
"SESSION_SECRET environment variable is required").

Move the check into a lazy getSessionSecret() called from hmac() at
request time. This preserves #20's security intent (no fallback,
requests fail if unset) while letting the build import route modules
cleanly. Verified: `next build` now succeeds with SESSION_SECRET unset.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: ralyodio

apps/web/lib/auth.ts

@@ -2,15 +2,23 @@ import 'server-only';
 import { cookies } from 'next/headers';
 
 const COOKIE = 'cp_session';
-const SESSION_SECRET = process.env.SESSION_SECRET;
-if (!SESSION_SECRET) {
-  throw new Error('SESSION_SECRET environment variable is required');
-}
 const enc = new TextEncoder();
 
+// Resolve the secret lazily (at request time) rather than at module import.
+// Throwing at import breaks `next build` page-data collection, which imports
+// route modules in an environment without runtime secrets. This still enforces
+// #20's intent: no insecure fallback, and requests fail if the secret is unset.
+function getSessionSecret(): string {
+  const secret = process.env.SESSION_SECRET;
+  if (!secret) {
+    throw new Error('SESSION_SECRET environment variable is required');
+  }
+  return secret;
+}
+
 async function hmac(data: string): Promise<string> {
   const key = await crypto.subtle.importKey(
-    'raw', enc.encode(SESSION_SECRET),
+    'raw', enc.encode(getSessionSecret()),
     { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']
   );
   const sig = await crypto.subtle.sign('HMAC', key, enc.encode(data));