fix: address Devin review round 5 — empty secret file, CI .env

- secrets.py: validate file content is non-empty before using it;
  regenerate if file exists but is empty/corrupted
- release.yml: touch .env before docker compose in smoke test
  (env_file: .env in docker-compose.yml requires the file to exist)

663 tests pass.

.github/workflows/release.yml

@@ -121,6 +121,8 @@ jobs:
 
       - name: Start Agnes from built image
         run: |
+          # Create empty .env (docker-compose.yml requires env_file: .env, gitignored)
+          touch .env
           # Use prod compose (GHCR images) + CI overlay (test secrets)
           export AGNES_TAG="${{ needs.build-and-push.outputs.image_tag }}"
           docker compose -f docker-compose.yml -f docker-compose.prod.yml -f docker-compose.ci.yml up -d app

app/secrets.py

@@ -15,7 +15,10 @@ def _load_or_generate(env_var: str, file_name: str) -> str:
     data_dir = Path(os.environ.get("DATA_DIR", "./data"))
     secret_path = data_dir / "state" / file_name
     if secret_path.exists():
-        return secret_path.read_text().strip()
+        val = secret_path.read_text().strip()
+        if val:
+            return val
+        logger.warning("Secret file %s is empty, regenerating", secret_path)
     secret_path.parent.mkdir(parents=True, exist_ok=True)
     val = secrets.token_hex(32)
     secret_path.write_text(val)