beb8abb2bc
Sharing the JWT secret with express-session means a single leaked secret compromises both auth mechanisms. SESSION_SECRET is now read from its own env var, falling back to SECRET only if not set.