refactor(config): enforce runtime auth secret policy

docs/architecture-hardening-backlog.md

@@ -21,6 +21,7 @@
 - `resource` is now onboarded as the second real comment entity, reusing the same ownership and staff-visibility rules as the resource detail route
 - comment mention autocomplete now uses a dedicated entity-scoped API route instead of inheriting the narrower `user.listAssignable` audience
 - runtime secret handling is now environment-first end to end: admin updates no longer persist new operational secrets, runtime status is surfaced explicitly, and legacy database secret copies can be cleared through a dedicated cleanup path
+- production auth runtime config now fails fast when `AUTH_SECRET`/`NEXTAUTH_SECRET` is missing or left on a known development placeholder, and local compose no longer hardcodes that secret
 - `apps/web` system settings UI is now decomposed into section components with shared secret/runtime helpers, bringing all files in that slice back under the file-size guardrail
 - the first API-side `assistant-tools` extraction is in place: settings, system-role config, webhooks, audit log access, and shoring ratio now live in a dedicated domain module with shared assistant-tool types
 - the advanced timeline assistant toolset now lives in its own domain module, keeping the high-risk read/mutation pairings out of the monolithic router without changing the assistant contract
@@ -61,9 +62,8 @@ That extraction work is now effectively complete for the current assistant-tool
 The small hardening slices are effectively exhausted.
 The remaining work is now structural rather than another quick batch:
 
-1. secrets and runtime configuration policy
-2. oversized router decomposition
-3. performance hotspot reduction
+1. oversized router decomposition
+2. performance hotspot reduction
 
 ## Working Rule