From f08897b8013b7ed55bb809721803c0b1efaed835 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 14 Apr 2026 13:07:11 +0200
Subject: [PATCH] fix(deploy): wire OCR training token to backend and raise
 container memory limit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Pass OCR_TRAINING_TOKEN through to the backend container as
  APP_OCR_TRAINING_TOKEN so RestClientOcrClient sends the X-Training-Token
  header when calling /train and /segtrain.
- Raise mem_limit/memswap_limit from 8g to 12g to give segtrain headroom
  on hosts with more available RAM.
- Uncomment OCR_TRAINING_TOKEN in .env.example — it is now required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .env.example       | 6 +++---
 docker-compose.yml | 5 +++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/.env.example b/.env.example
index 9011b4a5..6ba5dcf9 100644
--- a/.env.example
+++ b/.env.example
@@ -21,9 +21,9 @@ PORT_FRONTEND=5173
 PORT_MAILPIT_UI=8100
 PORT_MAILPIT_SMTP=1025
 
-# OCR Training — set a secret token to protect the /train and /segtrain endpoints on the
-# Python OCR microservice. Leave empty to disable token authentication (development only).
-# OCR_TRAINING_TOKEN=change-me-in-production
+# OCR Training — secret token required to call /train and /segtrain on the OCR service.
+# Also set in the backend so it can pass the token through. Must not be empty in production.
+OCR_TRAINING_TOKEN=change-me-in-production
 
 # Production SMTP — uncomment and fill in to send real emails instead of catching them
 # APP_BASE_URL=https://your-domain.example.com
diff --git a/docker-compose.yml b/docker-compose.yml
index bf57501a..35660e0f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -83,8 +83,8 @@ services:
     restart: unless-stopped
     expose:
       - "8000"
-    mem_limit: 8g
-    memswap_limit: 8g
+    mem_limit: 12g
+    memswap_limit: 12g
     volumes:
       - ocr_models:/app/models
       - ocr_cache:/root/.cache
@@ -145,6 +145,7 @@ services:
       SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH: ${MAIL_SMTP_AUTH:-false}
       SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE: ${MAIL_STARTTLS_ENABLE:-false}
       APP_OCR_BASE_URL: http://ocr-service:8000
+      APP_OCR_TRAINING_TOKEN: "${OCR_TRAINING_TOKEN:-}"
     ports:
       - "${PORT_BACKEND}:8080"
     networks: