All secrets (DB passwords, API keys, JWT secret) are now sourced
exclusively from config/env/.env.local, which is gitignored.
Nodemon only sets APP_ENV=local so that app.js's dotenv loader
picks up the right env file at boot.
Note: the previously committed values are still in git history.
They must be rotated out-of-band (rotation list tracked separately).