fix(config): validate production secrets

[christianarriaga1234-coder]

Summary

• Validates required production secrets before accepting production config.
• Loads DATABASE_PASSWORD, REDIS_PASSWORD, and AUTH_JWT_SECRET from the environment.
• Rejects empty and placeholder values without exposing secret contents.
• Keeps development and staging output compatible.

Closes #1.

Changes

• Added production secret validation and environment mapping.
• Removed duplicate auth.jwt_secret entries from SENSITIVE_KEYS.
• Added five focused unit tests.
• Documented production secret requirements in docs/OPERATIONS.md.
• Added encrypted diagnostic artifacts for commit 45f49127.

Testing

• python -m unittest tests.test_config_generator_production_secrets -v - 5 passed.
• Development JSON generation - exit 0.
• Production without secrets - exit 1.
• Production with all required environment variables - exit 0; values masked.
• GitHub Actions diagnostic run: https://github.com/christianarriaga1234-coder/frailbox-checkpoint/actions/runs/28071017690 - passed.
• Diagnostic: diagnostic/build-45f49127.logd
• Metadata: diagnostic/build-45f49127.json
• Decrypt password: bc8ff9d39d3268fbcc63

Checklist

• Relevant modules affected by these changes build locally
• Tests pass locally
• Diagnostic build log is committed in this PR
• Documentation has been updated, if applicable
• Configuration or schema changes are documented, if applicable
• No generated build artifacts are committed, except the required diagnostic build log
• Changes are scoped to the PR purpose and avoid unrelated cleanup
• Security, privacy, and error-handling implications have been considered

---

• I would like to request that my diagnostic build log is removed before merging