Artdlink

Where:

• src/main/kotlin/com/articon/base/domain/actors/auth/common/services/JwtGenerationService.kt:20
• src/main/resources/application.properties:28

What's wrong: Both locations default jwt.secret to defaultSecretKeyThatShouldBeChangedInProduction123456 if the JWT_SECRET env var is not set.

Why it matters: Anyone with source access can forge tokens against any environment booted without the env var (dev/test/CI by default). Misconfiguring prod fails open, not closed — the app boots and serves "valid" tokens.

Suggested fix: Fail-fast on startup when JWT_SECRET is unset (or below a min length), and/or generate a per-process random key for local dev only — never commit the literal.