fix: normalize default SOURCEBOT_ENCRYPTION_KEY to 32 characters

The default SOURCEBOT_ENCRYPTION_KEY in docker-compose is 33 zeros, which
fails the 32-character (AES-256) length validation. Preprocess the value so
the all-zeros default is trimmed to 32 characters before validation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: brendan-kellam

packages/shared/src/env.server.ts

@@ -341,9 +341,18 @@ const options = {
         // The key is read as ASCII (1 char = 1 byte), so AES-256's 32-byte key
         // requirement means this must be exactly 32 characters. Generate one with
         // `openssl rand -base64 24` (24 random bytes => a 32-character base64 string).
-        SOURCEBOT_ENCRYPTION_KEY: z.string().length(32, {
-            message: "SOURCEBOT_ENCRYPTION_KEY must be exactly 32 characters (a 256-bit AES key). Generate one with `openssl rand -base64 24`.",
-        }),
+        SOURCEBOT_ENCRYPTION_KEY: z.preprocess(
+            // @hack in our docker-compose.yml, we mistakenly used a
+            // encryption key with _33_ zeros. As a hacky mechanism to
+            // fix peoples deployments without requiring them to update
+            // their encryption key, we look for keys with this pattern
+            // and coerce them into _32_ zeros.
+            // @see https://github.com/sourcebot-dev/sourcebot/commit/e30e75e7af96308b3b063bb3aed8369f5b15aa2e
+            (value) => value === "0".repeat(33) ? "0".repeat(32) : value,
+            z.string().length(32, {
+                message: "SOURCEBOT_ENCRYPTION_KEY must be exactly 32 characters (a 256-bit AES key). Generate one with `openssl rand -base64 24`.",
+            }),
+        ),
         SOURCEBOT_INSTALL_ID: z.string().default("unknown"),
         SOURCEBOT_LIGHTHOUSE_URL: z.string().url().default("https://deployments.sourcebot.dev"),