🚨 Critical Security Flaw: Hardcoded JWT Secret 'secret' Exposes API to Token Forgery

A critical security vulnerability has been identified in a production codebase, where hardcoded JWT secret fallbacks could allow attackers to forge authentication tokens. The flaw, designated SEC-01, is a P0-level issue requiring immediate remediation before any future deployment. The core problem resides in the configuration file, where the system defaults to the string 'secret' if the required environment variable `JWT_ACCESS_SECRET` is not set, creating a catastrophic backdoor in production environments.

The vulnerability is explicitly located in `apps/api/src/config/configuration.ts` at line 77, where the code reads `accessSecret: process.env.JWT_ACCESS_SECRET || 'secret',`. This means if the environment variable is accidentally omitted in a live deployment, the system will silently use the publicly known, weak key 'secret'. An attacker aware of this default could trivially generate valid JSON Web Tokens (JWTs), granting them unauthorized access to user accounts and system functions. The issue is part of a broader security audit (#281) and also affects related secrets for refresh tokens and password reset actions.

The required fix mandates a fundamental shift from silent degradation to enforced validation. The application must be modified to fail immediately on startup if the `JWT_ACCESS_SECRET` is missing in a production environment, removing all hardcoded fallbacks. Developers must also verify and secure the `refreshSecret` and `actionForgotPasswordSecret` configurations. Files requiring changes include the primary configuration file and related context files, with acceptance criteria centered on ensuring the application cannot start without properly configured secrets, eliminating this severe authentication bypass risk.