ae3a335ea1
- auth_service.py: RESET_OTP_SECRET no longer crashes at import; read lazily inside _hash_otp() so the module always loads cleanly - main.py: _validate_runtime_secrets() now checks both BROKER_TOKEN_KEY and RESET_OTP_SECRET together, reporting all missing vars in one clear message - .env.example: documents every required/optional env var with generation commands With load_dotenv() + .env file, all secrets survive pm2 restarts automatically. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>