Description: Both hashToken() and issueJwt() in Sep10Service use this.configService.get('SEP10_JWT_SECRET') || 'secret' as fallback. If the env var is empty or unset at runtime, the JWT secret becomes the literal string 'secret'. An attacker who knows this can forge valid JWTs arbitrarily.
Acceptance Criteria:
- Remove the '|| 'secret' fallback from both hashToken() and issueJwt()
- Throw a Configuration error if SEP10_JWT_SECRET is missing at startup
- The Joi validation schema already requires min(32) for SEP10_JWT_SECRET
- Unit test verifies that empty secret throws instead of fallback
Description: Both hashToken() and issueJwt() in Sep10Service use
this.configService.get('SEP10_JWT_SECRET') || 'secret'as fallback. If the env var is empty or unset at runtime, the JWT secret becomes the literal string 'secret'. An attacker who knows this can forge valid JWTs arbitrarily.Acceptance Criteria: