SEC-07 — committed secrets:
- Replace real-looking defaults in .env.example (JWT_SECRET/JWT_REFRESH_SECRET
"changeme", MANUAL_INVITE_PASSWORD "pm.local@zghl.de") with CHANGE_ME
placeholders, and drop the personal DOME_LIGHT_WEBHOOK_URL default.
- Add a Nitro startup plugin (server/plugins/validate-secrets.ts) that refuses
to boot in production when JWT_SECRET is unset, looks like a placeholder, or
is shorter than 32 chars (warns only in development).
OPS-02 / SEC-09 — cron endpoints:
- requireCronSecret now fails closed: when no CRON_SECRET/KPI_CRON_SECRET is
configured the endpoint returns 503 instead of being publicly callable
(previously it allowed the request with a warning). Both cron routes already
call the guard. Prefer the x-cron-secret header over the loggable ?secret=
query param; document CRON_SECRET in .env.example.
Operational note: production deployments must now set JWT_SECRET (>=32 chars)
and CRON_SECRET, or the server won't start / crons return 503.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
