P0-hardening follow-up from 2026-05-29 Trawl audit (infra docs/superpowers/plans/2026-05-29-trawl-audit-p0p1.md). Trawl prod was found signing JWTs with the committed per-project default TrawlNodeDevSecret (mitigated in infra by injecting a real secret). Root cause is permissive validation: lib/helpers/config.js:62 validateJwtSecret only console.logs a warning, and only for the devkit placeholder WaosSecretKeyExampleToChnageAbsolutely — it misses any downstream project default and never throws. Fix: in non-dev/test envs, throw (crash-loop loud) when jwt secret is empty, a known default, or < 32 chars; keep dev warning. Also tighten modules/home/services/home.service.js:131-136 readiness check to same rule. Propagate downstream via /update-stack. ⚠️ Downstream projects must inject a real DEVKIT_NODE_jwt_secret BEFORE this lands or pods crash-loop.
P0-hardening follow-up from 2026-05-29 Trawl audit (infra docs/superpowers/plans/2026-05-29-trawl-audit-p0p1.md). Trawl prod was found signing JWTs with the committed per-project default⚠️ Downstream projects must inject a real DEVKIT_NODE_jwt_secret BEFORE this lands or pods crash-loop.
TrawlNodeDevSecret(mitigated in infra by injecting a real secret). Root cause is permissive validation:lib/helpers/config.js:62validateJwtSecretonlyconsole.logs a warning, and only for the devkit placeholderWaosSecretKeyExampleToChnageAbsolutely— it misses any downstream project default and never throws. Fix: in non-dev/test envs, throw (crash-loop loud) when jwt secret is empty, a known default, or < 32 chars; keep dev warning. Also tightenmodules/home/services/home.service.js:131-136readiness check to same rule. Propagate downstream via /update-stack.