Secure Secret Key Management #11
Description
The application currently defaults to a hardcoded SECRET_KEY in �ackend/core/security.py. While this is a local-first app, we should enforce generating a strict random key on first startup (setup phase) and storing it securely (e.g., in a .env file or the SQLite config table) to prevent potential token forgery if the port is exposed.