diff --git a/next.config.mjs b/next.config.mjs
index d9929e5f..45b8e93f 100644
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -1,5 +1,3 @@
-/* global process */
-
 // When building under Node.js (not Bun), redirect bun:sqlite to a better-sqlite3 shim
 // so `next build` works locally without Bun installed.
 const isBun = typeof globalThis.Bun !== 'undefined';
diff --git a/src/lib/secret.ts b/src/lib/secret.ts
index ca0aaa08..dd38f5bf 100644
--- a/src/lib/secret.ts
+++ b/src/lib/secret.ts
@@ -48,13 +48,14 @@ export function decryptSecret(value: string): string {
   // Try new HKDF key first
   try {
     return _decryptWithKey(value, deriveKey());
-  } catch (hkdfError) {
+  } catch (hkdfError: unknown) {
     // L5: Only fall back to legacy key within the grace period
     if (LEGACY_KEY_CUTOFF && new Date() > LEGACY_KEY_CUTOFF) {
       throw new Error(
         "[secret] HKDF decryption failed and legacy key grace period has expired. " +
         "Re-encrypt this secret with the current key. " +
-        "Set LEGACY_KEY_CUTOFF_DATE=never to temporarily restore legacy key support."
+        "Set LEGACY_KEY_CUTOFF_DATE=never to temporarily restore legacy key support.",
+        { cause: hkdfError }
       );
     }
     console.warn("[secret] HKDF decryption failed; retrying with legacy SHA-256 key. Re-encrypt this secret to remove the legacy key dependency.");