release(v3.9.3): legacy fallback worker-env fix after persistent-token key rotation

- crypto(startup): stop exporting the legacy fallback key as a process-wide env value on compatibility-path installs
- crypto(resolve): prefer the persisted key file over legacy_default source hints once a rotation has written metadata/persistent_tokens.key
- admin(ui): eliminate post-rotation getConfig/siteConfig failures caused by workers still decrypting with the inherited legacy fallback

Author: error311

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## Changes 03/15/2026 (v3.9.3)
+
+`release(v3.9.3): legacy fallback worker-env fix after persistent-token key rotation`
+
+**Commit message**  
+
+```text
+release(v3.9.3): legacy fallback worker-env fix after persistent-token key rotation
+
+- crypto(startup): stop exporting the legacy fallback key as a process-wide env value on compatibility-path installs
+- crypto(resolve): prefer the persisted key file over legacy_default source hints once a rotation has written metadata/persistent_tokens.key
+- admin(ui): eliminate post-rotation getConfig/siteConfig failures caused by workers still decrypting with the inherited legacy fallback
+```
+
+**Fixed**  
+
+- **Post-rotation request consistency**
+  - Fixed a case where some Apache workers could keep using the legacy fallback persistent-token key immediately after an in-app rotation, causing transient `getConfig.php` / `siteConfig.php` `500` responses until a refresh or restart.
+  - Compatibility-path installs no longer export the legacy fallback key as a worker-wide env value, and the key resolver now prefers the persisted key file once rotation has written `metadata/persistent_tokens.key`.
+
+---
+
 ## Changes 03/15/2026 (v3.9.2)
 
 `release(v3.9.2): admin config decrypt retry after persistent-token key transitions`

config/config.php

@@ -223,7 +223,7 @@ function fr_resolve_persistent_tokens_key(): array
 
     $source = 'legacy_default';
     $key = $defaultKey;
-    if ($envKey !== '') {
+    if ($envKey !== '' && !($sourceHint === 'legacy_default' && $fileKey !== '')) {
         $key = $envKey;
         if (in_array($sourceHint, ['env', 'file', 'generated_file', 'legacy_default'], true)) {
             $source = $sourceHint;

start.sh

@@ -88,7 +88,7 @@ elif [ -s "${PERSISTENT_TOKENS_KEY_FILE}" ]; then
   export PERSISTENT_TOKENS_KEY_SOURCE="file"
   echo "[startup] Loaded persistent tokens key from metadata/persistent_tokens.key."
 elif has_existing_persistent_key_state; then
-  export PERSISTENT_TOKENS_KEY="${LEGACY_PERSISTENT_TOKENS_KEY}"
+  unset PERSISTENT_TOKENS_KEY || true
   export PERSISTENT_TOKENS_KEY_SOURCE="legacy_default"
   echo "WARNING: No explicit persistent tokens key is configured, but existing encrypted state was found. Continuing with the legacy built-in key for backward compatibility."
 else
@@ -106,7 +106,7 @@ else
   fi
 fi
 
-if [ "${PERSISTENT_TOKENS_KEY}" = "default_please_change_this_key" ] || [ "${PERSISTENT_TOKENS_KEY}" = "please_change_this_@@" ]; then
+if [ "${PERSISTENT_TOKENS_KEY:-}" = "default_please_change_this_key" ] || [ "${PERSISTENT_TOKENS_KEY:-}" = "please_change_this_@@" ]; then
   echo "WARNING: PERSISTENT_TOKENS_KEY matches a published placeholder value. Replace it with a unique secret and plan a controlled rotation."
 fi