Harden auth flows and add backend quality gate

backend/app/main.py

@@ -163,6 +163,21 @@ def _launch_background_task(name: str, coroutine_factory: Callable[[], Awaitable
     _background_tasks.append(task)
 
 
+def _log_security_configuration_warnings() -> None:
+    if str(settings.jwt_secret or "").strip() == "change-me":
+        logger.warning(
+            "security configuration warning: JWT_SECRET is still set to the default value"
+        )
+    if str(settings.admin_password or "") == "adminadmin":
+        logger.warning(
+            "security configuration warning: ADMIN_PASSWORD is still set to the bootstrap default"
+        )
+    if bool(settings.api_docs_enabled):
+        logger.warning(
+            "security configuration warning: API docs are enabled; disable API_DOCS_ENABLED outside controlled environments"
+        )
+
+
 @app.on_event("startup")
 async def startup() -> None:
     configure_logging(
@@ -174,6 +189,7 @@ async def startup() -> None:
         log_background_sync_level=settings.log_background_sync_level,
     )
     logger.info("startup begin app=%s build=%s", settings.app_name, settings.site_build_number)
+    _log_security_configuration_warnings()
     init_db()
     runtime = get_runtime_settings()
     configure_logging(