- auth: first registered user becomes superadmin (active immediately)
- entrypoint: no longer seeds demo data in prod (opt-in via RUN_SEED=1)
- config: refuse to boot in prod with weak/placeholder SECRET_KEY (<32 chars)
- main: restrict CORS to FRONTEND_URL only in prod (localhost dev-only)
- seed_db: block prod seeding, read passwords from env, stop printing them
- login: remove demo account credentials from UI
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
exec ./entrypoint.sh: no such file or directory was caused by
Windows-style line endings making the shebang unresolvable.
Also add .gitattributes to enforce LF for shell scripts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
