## Goal Centralize configuration and ensure secrets are never baked into bundles. ## Tasks - [ ] Add config loader that uses `process.env.*` and falls back to runtime-config for static hosting. - [ ] Ensure any API keys are used server-side only; frontend uses short-lived tokens via auth endpoints. - [ ] Document how to set env vars for local, staging, prod (example `vercel` and `docker` instructions). - [ ] Add a CI secret scanning check that fails on accidental commit of `.env` files. ## Acceptance criteria - [ ] No secrets are present in built frontend bundles; environment instructions present in README.
Goal
Centralize configuration and ensure secrets are never baked into bundles.
Tasks
process.env.*and falls back to runtime-config for static hosting.vercelanddockerinstructions)..envfiles.Acceptance criteria