refactor(runtime): prefer env-backed secrets at runtime

packages/api/src/__tests__/anonymization.test.ts

@@ -1,7 +1,11 @@
-import { describe, expect, it, vi } from "vitest";
-import { getAnonymizationDirectory } from "../lib/anonymization.js";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { getAnonymizationConfig, getAnonymizationDirectory } from "../lib/anonymization.js";
 
 describe("anonymization directory", () => {
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
   it("persists aliases so existing resources keep the same identity when new resources appear", async () => {
     let storedAliases: Record<string, { displayName: string; eid: string }> = {
       resource_a: {
@@ -126,4 +130,21 @@ describe("anonymization directory", () => {
     expect(alias?.eid).toMatch(/^[a-z]+(?:\.[a-z]+)*$/);
     expect(db.systemSettings.update).toHaveBeenCalledTimes(1);
   });
+
+  it("prefers the anonymization seed from the environment at runtime", async () => {
+    vi.stubEnv("ANONYMIZATION_SEED", "env-seed");
+
+    const config = await getAnonymizationConfig({
+      systemSettings: {
+        findUnique: vi.fn(async () => ({
+          anonymizationEnabled: true,
+          anonymizationDomain: "example.test",
+          anonymizationSeed: "db-seed",
+          anonymizationMode: "global",
+        })),
+      },
+    } as never);
+
+    expect(config.seed).toBe("env-seed");
+  });
 });