fix(security): disable Swagger in prod, remove dead debug field, harden env config

backend/src/app.py

@@ -48,7 +48,14 @@ async def lifespan(_: FastAPI) -> AsyncGenerator[None, None]:
         logger.info("Base services closed", services=SERVICE_STARTUP_ORDER)
 
 
-app = FastAPI(lifespan=lifespan)
+_is_prod = config.runtime.environment == "prod"
+
+app = FastAPI(
+    lifespan=lifespan,
+    docs_url=None if _is_prod else "/docs",
+    redoc_url=None if _is_prod else "/redoc",
+    openapi_url=None if _is_prod else "/openapi.json",
+)
 app.add_middleware(
     CORSMiddleware,
     allow_origins=config.cors.allow_origins,

backend/src/core/config/settings.py

@@ -35,7 +35,6 @@ def _resolve_project_root() -> Path:
 class RuntimeSettings(BaseModel):
     environment: Literal["dev", "test", "prod"] = "dev"
     service_name: str = "app"
-    debug: bool = True
     log_level: str = "INFO"
     log_json: bool = True
     log_rotation: Literal["time", "size", "none"] = "time"