Refactor config and add comprehensive tests

- Updated config.py to support environment-based configuration
- Added test_config.py with full test coverage
- Updated Backend-Development.md with configuration documentation
- Removed outdated tasks from Tasks.md

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Docs/Backend-Development.md

@@ -638,6 +638,35 @@ class Settings(BaseSettings):
     model_config = {"env_prefix": "BANGUI_", "env_file": ".env"}
 ```
 
+### Session Secret Configuration
+
+The `session_secret` is the HMAC key used to sign all session tokens. It must be at least 32 characters (256 bits) to provide sufficient cryptographic strength for HMAC-SHA256.
+
+**Minimum Length:** 32 characters
+
+**Why 32 characters?** Session tokens are signed using HMAC-SHA256. A secret shorter than 32 bytes (256 bits) significantly weakens the signature, potentially allowing attackers to forge valid tokens. The constraint is enforced at startup — the application will fail to start if `session_secret` is shorter than 32 characters.
+
+**Generation:** Generate a secure secret using Python:
+
+```bash
+python -c "import secrets; print(secrets.token_hex(32))"
+```
+
+This produces a 64-character hexadecimal string (256 bits) suitable for production use.
+
+**Environment Variable:**
+
+```bash
+BANGUI_SESSION_SECRET="your-32-character-minimum-secret-here"
+```
+
+**Never** commit the actual secret to the repository. Provide a `.env.example` with a placeholder:
+
+```bash
+# .env.example
+BANGUI_SESSION_SECRET="set-this-to-a-32-character-minimum-secret"
+```
+
 ### Session Cookie Security
 
 The `session_cookie_secure` configuration controls the `Secure` flag on the session cookie. This flag prevents browsers from sending the session cookie over unencrypted HTTP.