feat: load root env and encrypt persisted secrets

[KyleTryon]

Summary

• load the repo root .env for server tooling/runtime and resolve relative CLIPARR_DATA_DIR values against the env file location
• require APP_KEY and encrypt persisted provider account tokens, source credentials, and provider session secrets at rest
• add access_token_hash for deterministic token lookups while keeping legacy plaintext rows readable until they are naturally rewritten
• explicitly ignore nested apps/server/.cliparr-data artifacts and update Docker/docs for the new env requirements

Notes

• This PR intentionally does not backfill existing plaintext rows at startup.
• Existing plaintext rows remain readable and will only become encrypted when rewritten by normal application flows.

Testing

• pnpm lint
• pnpm build
• pnpm --filter @cliparr/server exec tsx -e "import './src/config/loadEnv.ts'; import { createApp } from './src/app.ts'; (async () => { await createApp(); console.log('app-ok'); })().catch((err) => { console.error(err); process.exit(1); });"

[Copilot]

Pull request overview

This PR updates server configuration loading to better support monorepo development, and introduces an APP_KEY-based mechanism to encrypt persisted provider credentials (plus hashed lookup for provider access tokens).

Changes:

• Add a custom env loader to read the repo-root .env (and cwd .env) and resolve relative CLIPARR_DATA_DIR consistently.
• Require APP_KEY and encrypt/decrypt persisted secrets in SQLite (including adding access_token_hash for deterministic token lookups).
• Update Docker/Compose configuration, ignore rules, and documentation to reflect the new env requirements and data-dir behavior.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
docker-compose.yml	Requires APP_KEY at compose runtime.
apps/server/src/session/store.ts	Encrypts/decrypts persisted session token/resource fields.
apps/server/src/server.ts	Switches to the new env loader and adds startup error handling.
apps/server/src/security/secrets.ts	Adds encryption/hash utilities keyed by APP_KEY.
apps/server/src/db/schema.ts	Adds accessTokenHash column and updates unique index.
apps/server/src/db/providerAccountsRepository.ts	Encrypts access tokens, hashes for lookup, adds legacy fallback lookup.
apps/server/src/db/migrations.ts	Adds migration for access_token_hash and index changes.
apps/server/src/db/mediaSourcesRepository.ts	Encrypts/decrypts JSON credential/connection fields.
apps/server/src/db/database.ts	Resolves data dir via env loader and enforces APP_KEY before DB init.
apps/server/src/config/loadEnv.ts	Loads root + cwd .env and resolves relative CLIPARR_DATA_DIR.
apps/server/drizzle.config.ts	Uses env loader and consistent data-dir resolution for Drizzle.
README.md	Documents APP_KEY requirement for Docker usage.
CONTRIBUTING.md	Adds setup guidance for .env + APP_KEY.
.gitignore	Ignores nested apps/server/.cliparr-data.
.env.example	Adds APP_KEY to example env file.
.dockerignore	Excludes nested apps/server/.cliparr-data from Docker builds.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.