fix: remove JWT_SECRET env var — server manages it exclusively

Setting JWT_SECRET via environment variable was broken by design:
the admin panel rotation updates the in-memory binding and persists
the new value to data/.jwt_secret, but an env var would silently
override it on the next restart, reverting the rotation.

The server now always loads JWT_SECRET from data/.jwt_secret
(auto-generating it on first start), making the file the single
source of truth. Rotation is handled exclusively through the admin
panel.

- config.ts: drop process.env.JWT_SECRET fallback and
  JWT_SECRET_IS_GENERATED export; always read from / write to
  data/.jwt_secret
- index.ts: remove the now-obsolete JWT_SECRET startup warning
- .env.example, docker-compose.yml, README: remove JWT_SECRET entries
- Helm chart: remove JWT_SECRET from secretEnv, secret.yaml, and
  deployment.yaml; rename generateJwtSecret → generateEncryptionKey
  and update NOTES.txt and README accordingly

chart/README.md

@@ -14,7 +14,6 @@ This is a minimal Helm chart for deploying the TREK app.
 
 ```sh
 helm install trek ./chart \
-  --set secretEnv.JWT_SECRET=your_jwt_secret \
   --set ingress.enabled=true \
   --set ingress.hosts[0].host=yourdomain.com
 ```
@@ -29,6 +28,6 @@ See `values.yaml` for more options.
 ## Notes
 - Ingress is off by default. Enable and configure hosts for your domain.
 - PVCs require a default StorageClass or specify one as needed.
-- `JWT_SECRET` should be set for production use; auto-generated and persisted to the data PVC if not provided.
+- `JWT_SECRET` is managed entirely by the server — auto-generated into the data PVC on first start and rotatable via the admin panel (Settings → Danger Zone). No Helm configuration needed.
 - `ENCRYPTION_KEY` encrypts stored secrets (API keys, MFA, SMTP, OIDC) at rest. Auto-generated and persisted to the data PVC if not provided. **Upgrading:** if a previous version used `JWT_SECRET`-derived encryption, set `secretEnv.ENCRYPTION_KEY` to your old `JWT_SECRET` value to keep existing encrypted data readable, then re-save credentials via the admin panel.
 - If using ingress, you must manually keep `env.ALLOWED_ORIGINS` and `ingress.hosts` in sync to ensure CORS works correctly. The chart does not sync these automatically.

chart/templates/NOTES.txt

@@ -1,18 +1,24 @@
-1. Secret handling (JWT_SECRET and ENCRYPTION_KEY):
-   - By default, the chart creates a Kubernetes Secret from the values in `secretEnv.JWT_SECRET` and `secretEnv.ENCRYPTION_KEY`.
-   - To generate random values for both at install (preserved across upgrades), set `generateJwtSecret: true`.
-   - To use an existing Kubernetes secret, set `existingSecret` to the secret name. The secret must contain a key matching `existingSecretKey` (defaults to `JWT_SECRET`) and optionally an `ENCRYPTION_KEY` key. If `ENCRYPTION_KEY` is absent from the external secret, the server auto-generates and persists it to the data volume.
+1. ENCRYPTION_KEY handling:
+   - ENCRYPTION_KEY encrypts stored secrets (API keys, MFA, SMTP, OIDC) at rest.
+   - By default, the chart creates a Kubernetes Secret from `secretEnv.ENCRYPTION_KEY` in values.yaml.
+   - To generate a random key at install (preserved across upgrades), set `generateEncryptionKey: true`.
+   - To use an existing Kubernetes secret, set `existingSecret` to the secret name. The secret must
+     contain a key matching `existingSecretKey` (defaults to `ENCRYPTION_KEY`).
+   - If left empty, the server auto-generates and persists the key to the data PVC — safe as long as
+     the PVC persists.
+   - Upgrading from a version that used JWT_SECRET for encryption: set `secretEnv.ENCRYPTION_KEY` to
+     your old JWT_SECRET value, then re-save credentials via the admin panel.
 
-2. ENCRYPTION_KEY notes:
-   - Encrypts stored API keys, MFA secrets, SMTP password, and OIDC client secret at rest.
-   - If left empty, auto-generated by the server and saved to the data PVC — safe as long as the PVC persists.
-   - Upgrading from a version that used JWT_SECRET for encryption: set `secretEnv.ENCRYPTION_KEY` to your old JWT_SECRET value to keep existing encrypted data readable, then re-save credentials via the admin panel.
+2. JWT_SECRET is managed entirely by the server:
+   - Auto-generated on first start and persisted to the data PVC (data/.jwt_secret).
+   - Rotate it via the admin panel (Settings → Danger Zone → Rotate JWT Secret).
+   - No Helm configuration needed or supported.
 
 3. Example usage:
-   - Set explicit secrets: `--set secretEnv.JWT_SECRET=your_secret --set secretEnv.ENCRYPTION_KEY=your_enc_key`
-   - Generate random secrets: `--set generateJwtSecret=true`
+   - Set an explicit encryption key: `--set secretEnv.ENCRYPTION_KEY=your_enc_key`
+   - Generate a random key at install: `--set generateEncryptionKey=true`
    - Use an existing secret: `--set existingSecret=my-k8s-secret`
-   - Use a custom key for JWT in existing secret: `--set existingSecret=my-k8s-secret --set existingSecretKey=MY_JWT_KEY`
+   - Use a custom key name in the existing secret: `--set existingSecret=my-k8s-secret --set existingSecretKey=MY_ENC_KEY`
 
-4. Only one method should be used at a time. If both `generateJwtSecret` and `existingSecret` are set, `existingSecret` takes precedence.
-   If using `existingSecret`, ensure the referenced secret and keys exist in the target namespace.
+4. Only one method should be used at a time. If both `generateEncryptionKey` and `existingSecret` are
+   set, `existingSecret` takes precedence. Ensure the referenced secret and key exist in the namespace.

chart/templates/deployment.yaml

@@ -36,16 +36,11 @@ spec:
             - configMapRef:
                 name: {{ include "trek.fullname" . }}-config
           env:
-            - name: JWT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: {{ default (printf "%s-secret" (include "trek.fullname" .)) .Values.existingSecret }}
-                  key: {{ .Values.existingSecretKey | default "JWT_SECRET" }}
             - name: ENCRYPTION_KEY
               valueFrom:
                 secretKeyRef:
                   name: {{ default (printf "%s-secret" (include "trek.fullname" .)) .Values.existingSecret }}
-                  key: ENCRYPTION_KEY
+                  key: {{ .Values.existingSecretKey | default "ENCRYPTION_KEY" }}
                   optional: true
           volumeMounts:
             - name: data

chart/templates/secret.yaml

@@ -1,4 +1,4 @@
-{{- if and (not .Values.existingSecret) (not .Values.generateJwtSecret) }}
+{{- if and (not .Values.existingSecret) (not .Values.generateEncryptionKey) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,11 +7,10 @@ metadata:
     app: {{ include "trek.name" . }}
 type: Opaque
 data:
-  {{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ .Values.secretEnv.JWT_SECRET | b64enc | quote }}
-  ENCRYPTION_KEY: {{ .Values.secretEnv.ENCRYPTION_KEY | b64enc | quote }}
+  {{ .Values.existingSecretKey | default "ENCRYPTION_KEY" }}: {{ .Values.secretEnv.ENCRYPTION_KEY | b64enc | quote }}
 {{- end }}
 
-{{- if and (not .Values.existingSecret) (.Values.generateJwtSecret) }}
+{{- if and (not .Values.existingSecret) (.Values.generateEncryptionKey) }}
 {{- $secretName := printf "%s-secret" (include "trek.fullname" .) }}
 {{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
 apiVersion: v1
@@ -23,10 +22,8 @@ metadata:
 type: Opaque
 stringData:
   {{- if and $existingSecret $existingSecret.data }}
-  {{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ index $existingSecret.data (.Values.existingSecretKey | default "JWT_SECRET") | b64dec }}
-  ENCRYPTION_KEY: {{ index $existingSecret.data "ENCRYPTION_KEY" | b64dec }}
+  {{ .Values.existingSecretKey | default "ENCRYPTION_KEY" }}: {{ index $existingSecret.data (.Values.existingSecretKey | default "ENCRYPTION_KEY") | b64dec }}
   {{- else }}
-  {{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ randAlphaNum 32 }}
-  ENCRYPTION_KEY: {{ randAlphaNum 32 }}
+  {{ .Values.existingSecretKey | default "ENCRYPTION_KEY" }}: {{ randAlphaNum 32 }}
   {{- end }}
 {{- end }}

chart/values.yaml

@@ -19,10 +19,10 @@ env:
 # NOTE: If using ingress, ensure env.ALLOWED_ORIGINS matches the domains in ingress.hosts for proper CORS configuration.
 
 
-# Secret environment variables stored in a Kubernetes Secret
+# Secret environment variables stored in a Kubernetes Secret.
+# JWT_SECRET is managed entirely by the server (auto-generated into the data PVC,
+# rotatable via the admin panel) — it is not configured here.
 secretEnv:
-  # JWT signing secret. Auto-generated and persisted to the data PVC if not set.
-  JWT_SECRET: ""
   # At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC, etc.).
   # Auto-generated and persisted to the data PVC if not set.
   # Upgrading from a version that used JWT_SECRET for encryption: set this to your
@@ -30,13 +30,12 @@ secretEnv:
   # credentials via the admin panel and rotate to a fresh random key.
   ENCRYPTION_KEY: ""
 
-# If true, random values for JWT_SECRET and ENCRYPTION_KEY are generated at install
-# and preserved across upgrades (overrides secretEnv values)
-generateJwtSecret: false
+# If true, a random ENCRYPTION_KEY is generated at install and preserved across upgrades
+generateEncryptionKey: false
 
-# If set, use an existing Kubernetes secret for JWT_SECRET (and optionally ENCRYPTION_KEY)
+# If set, use an existing Kubernetes secret that contains ENCRYPTION_KEY
 existingSecret: ""
-existingSecretKey: JWT_SECRET
+existingSecretKey: ENCRYPTION_KEY
 
 persistence:
   enabled: true