cleanup

src/config/settings.py

@@ -15,12 +15,16 @@ class Settings(BaseSettings):
     master_password_hash: Optional[str] = Field(
         default=None, env="MASTER_PASSWORD_HASH"
     )
-    # For development only. Never rely on this in production deployments.
+    # ⚠️ WARNING: DEVELOPMENT ONLY - NEVER USE IN PRODUCTION ⚠️
+    # This field allows setting a plaintext master password via environment
+    # variable for development/testing purposes only. In production
+    # deployments, use MASTER_PASSWORD_HASH instead and NEVER set this field.
     master_password: Optional[str] = Field(
         default=None,
         env="MASTER_PASSWORD",
         description=(
-            "Development-only master password; do not enable in production."
+            "**DEVELOPMENT ONLY** - Plaintext master password. "
+            "NEVER enable in production. Use MASTER_PASSWORD_HASH instead."
         ),
     )
     token_expiry_hours: int = Field(