fix: harden CI security gates, parallelize builds, externalize secrets

- Make OWASP, Gitleaks, pnpm audit blocking (remove || true fallbacks)
- Add Maven -T 1C for parallel reactor threads
- Fix parallel Docker build race condition (PID tracking + set -euo pipefail)
- Externalize JWT/NextAuth secrets via env vars with dev-only defaults
- Add .env.example with generation instructions
- Add CI/CD infrastructure review document

docker-compose.yml

@@ -27,11 +27,11 @@ services:
       SPRING_PROFILES_ACTIVE: docker
       SPRING_DATASOURCE_URL: jdbc:postgresql://db:5432/cannamanage
       SPRING_DATASOURCE_USERNAME: cannamanage
-      SPRING_DATASOURCE_PASSWORD: cannamanage_dev
+      SPRING_DATASOURCE_PASSWORD: ${DB_PASSWORD:-cannamanage_dev}
       # JwtService base64-decodes this secret (Decoders.BASE64.decode) before using it as the
       # HMAC-SHA key. It MUST be valid base64 — a plaintext string with hyphens throws
       # "Illegal base64 character: '-'" at token-signing time (HTTP 500 after a successful login).
-      CANNAMANAGE_SECURITY_JWT_SECRET: hmSULRhmFYcOXDwYxb7bGXp7Bovh+hXgua/VqF44Ts/N+8YELWpWiqQ+aLrymCuM
+      CANNAMANAGE_SECURITY_JWT_SECRET: ${JWT_SECRET:-dGhpcy1pcy1hLWRldi1vbmx5LXNlY3JldC1kby1ub3QtdXNlLWluLXByb2R1Y3Rpb24=}
     depends_on:
       db:
         condition: service_healthy
@@ -51,7 +51,7 @@ services:
       - "3000:3000"
     environment:
       NEXTAUTH_URL: http://localhost:3000
-      NEXTAUTH_SECRET: docker-dev-nextauth-secret-minimum-32chars
+      NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:-dev-only-nextauth-secret-do-not-use-in-production-min32}
       BACKEND_URL: http://backend:8080
       AUTH_URL: http://localhost:3000
     depends_on: