Summary

• externalize production DB/JWT/OAuth/Firebase secrets through environment variables only
• add a prod-only startup validator for missing, placeholder-like, weak, or legacy file-path secrets
• prevent credential-like files from entering resources, Docker build context, or committed backend files
• add local .env.example, update deployment docs, and remove the tracked Firebase plist

Validation

• ./gradlew test --tests 'devkor.ontime_back.security.*'
• ./gradlew clean bootJar
• inspected the built jar for forbidden credential files under BOOT-INF/classes

Notes

• Full ./gradlew test still fails on the existing H2/Flyway migration issue where V1__init.sql creates an unquoted user table. That failure is unrelated to this secret-externalization change.
• External credential rotation in Firebase, Apple, Google, JWT, and the database provider is still required before closing the operational side of issue [P0] Rotate exposed secrets and externalize all runtime credentials #270.

Closes #270