fix: auto-generate encryption keys in Railway startup script

Dockerfile.railway

@@ -66,7 +66,7 @@ RUN npm run build
 FROM alpine:${ALPINE_VERSION}
 
 RUN apk update && apk add --no-cache \
-    ca-certificates tzdata sqlite nginx supervisor
+    ca-certificates tzdata sqlite nginx supervisor openssl
 
 # Copy TA-Lib
 COPY --from=ta-lib-builder /usr/local /usr/local
@@ -84,6 +84,10 @@ COPY railway/nginx.conf /etc/nginx/http.d/default.conf
 # Copy supervisor config
 COPY railway/supervisord.conf /etc/supervisord.conf
 
+# Copy backend startup wrapper (auto-generates encryption keys)
+COPY railway/start-backend.sh /app/start-backend.sh
+RUN chmod +x /app/start-backend.sh
+
 # Create data directory
 RUN mkdir -p /app/data
 

railway/start-backend.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+# Backend startup wrapper - generates encryption keys if not set
+
+# Generate RSA private key if not set
+if [ -z "$RSA_PRIVATE_KEY" ]; then
+    echo "🔐 Generating RSA key pair..."
+    export RSA_PRIVATE_KEY=$(openssl genrsa 2048 2>/dev/null)
+    echo "✅ RSA key generated"
+fi
+
+# Generate data encryption key if not set
+if [ -z "$DATA_ENCRYPTION_KEY" ]; then
+    echo "🔐 Generating data encryption key..."
+    export DATA_ENCRYPTION_KEY=$(openssl rand -base64 32)
+    echo "✅ Data encryption key generated"
+fi
+
+# Start the backend
+exec /app/nofx

railway/supervisord.conf

@@ -5,7 +5,7 @@ logfile_maxbytes=0
 pidfile=/tmp/supervisord.pid
 
 [program:backend]
-command=/app/nofx
+command=/app/start-backend.sh
 directory=/app
 autostart=true
 autorestart=true