Secrets and Environment

No secrets in the repo — .env.prod (and other env files with secrets) are gitignored.
JWT_SECRET — Must be strong (e.g. 32+ characters); generate with openssl rand -base64 32.
CSRF_SECRET — Can default to JWT_SECRET if not set.
Env files — config/.env.dev (committed, safe defaults), config/.env.prod (gitignored), config/.env.ci (CI-only, no real secrets). See Backend — Environment and config for variables.