Harden secret handling: remove weak fallback defaults, fail fast on missing env vars

JWT_SECRET and ADMIN_KEY no longer fall back to insecure defaults.
The app will throw at startup if these env vars are not set.
docker-compose.yml now uses :? syntax to require them.

Co-authored-by: Cursor <cursoragent@cursor.com>

backend/routes/auth.js

@@ -4,7 +4,10 @@ const { JWT_SECRET, authenticateToken } = require('../middleware/auth');
 
 const router = express.Router();
 
-const ADMIN_KEY = process.env.ADMIN_KEY || 'admin123';
+if (!process.env.ADMIN_KEY) {
+  throw new Error('ADMIN_KEY environment variable is required');
+}
+const ADMIN_KEY = process.env.ADMIN_KEY;
 
 // Login with admin key
 router.post('/login', (req, res) => {