refactor(config): enforce runtime auth secret policy

scripts/check-architecture-guardrails.mjs

@@ -5,6 +5,49 @@ import process from "node:process";
 const rootDir = process.cwd();
 
 const rules = [
+  {
+    file: "apps/web/src/server/auth.ts",
+    required: [
+      {
+        pattern: /\bassertSecureRuntimeEnv\s*\(/,
+        message: "Auth startup must validate production runtime env before serving requests",
+      },
+    ],
+    forbidden: [],
+  },
+  {
+    file: "apps/web/src/server/runtime-env.ts",
+    required: [
+      {
+        pattern: /\bDISALLOWED_PRODUCTION_SECRETS\b/,
+        message: "runtime env validation must keep a denylist for known development secrets",
+      },
+      {
+        pattern: /\bAUTH_SECRET\b/,
+        message: "runtime env validation must check the Auth.js secret environment variables",
+      },
+      {
+        pattern: /\bNEXTAUTH_URL\b/,
+        message: "runtime env validation must check the public auth url environment variables",
+      },
+    ],
+    forbidden: [],
+  },
+  {
+    file: "docker-compose.yml",
+    required: [
+      {
+        pattern: /NEXTAUTH_SECRET:\s+\$\{NEXTAUTH_SECRET:\?set NEXTAUTH_SECRET\}/,
+        message: "local compose must source NEXTAUTH_SECRET from environment instead of hardcoding it",
+      },
+    ],
+    forbidden: [
+      {
+        pattern: /NEXTAUTH_SECRET:\s+dev-secret-change-in-production/,
+        message: "local compose must not hardcode the development Auth.js secret",
+      },
+    ],
+  },
   {
     file: "packages/api/src/sse/event-bus.ts",
     required: [],