Security
- JWT signing secret can now be injected via the
QUIETKEEP_JWT_SECRETenvironment variable. When set, it takes precedence and no secret file is written, letting operators keep the secret off disk and source it from an external secret manager. Behaviour is unchanged when unset: a secret is generated and persisted to a0600file in the data volume so login sessions survive restarts.
Defense-in-depth hardening prompted by a CodeQL clear-text-storage finding, triaged as accepted risk for the default self-hosted single-user threat model. See docs/USER_GUIDE.md for usage.
Full changelog: https://github.com/QuietWireDev/QuietKeep/blob/main/CHANGELOG.md