fix(security): fail fast when download HMAC secret is missing

Resolves the issue where getSecret() silently fell back to the literal
string "dev-secret" when neither DOWNLOAD_SIGNING_SECRET nor
SUPABASE_SECRET_KEY was set. Because the codebase is public, that
fallback let anyone forge valid /download/:token signatures against a
mis-configured deployment.

- Throw at first call instead of returning the hardcoded string, with a
  message pointing the operator at `openssl rand -hex 32`.
- Document DOWNLOAD_SIGNING_SECRET in backend/.env.example so deployers
  following the README know to set it (and that it should be distinct
  from SUPABASE_SECRET_KEY).

Closes #7

backend/src/lib/downloadTokens.ts

@@ -10,11 +10,16 @@ import crypto from "crypto";
  */
 
 function getSecret(): string {
-    return (
+    const secret =
         process.env.DOWNLOAD_SIGNING_SECRET ??
-        process.env.SUPABASE_SECRET_KEY ??
-        "dev-secret"
-    );
+        process.env.SUPABASE_SECRET_KEY;
+    if (!secret) {
+        throw new Error(
+            "DOWNLOAD_SIGNING_SECRET (or SUPABASE_SECRET_KEY as a fallback) must be set. " +
+                "Generate a strong random value (e.g. `openssl rand -hex 32`) and set it in the environment.",
+        );
+    }
+    return secret;
 }
 
 function b64urlEncode(buf: Buffer): string {