fix: use file-based secrets for Stripe API keys (refs #55)

backend/src/core/config/config-loader.ts

@@ -126,6 +126,9 @@ const secretsSchema = z.object({
   auth0_management_client_secret: z.string(),
   google_maps_api_key: z.string(),
   resend_api_key: z.string(),
+  // Stripe secrets (API keys only - price IDs are config, not secrets)
+  stripe_secret_key: z.string(),
+  stripe_webhook_secret: z.string(),
 });
 
 type Config = z.infer<typeof configSchema>;
@@ -140,6 +143,10 @@ export interface AppConfiguration {
   getRedisUrl(): string;
   getAuth0Config(): { domain: string; audience: string; clientSecret: string };
   getAuth0ManagementConfig(): { domain: string; clientId: string; clientSecret: string };
+  getStripeConfig(): {
+    secretKey: string;
+    webhookSecret: string;
+  };
 }
 
 class ConfigurationLoader {
@@ -178,6 +185,8 @@ class ConfigurationLoader {
       'auth0-management-client-secret',
       'google-maps-api-key',
       'resend-api-key',
+      'stripe-secret-key',
+      'stripe-webhook-secret',
     ];
 
     for (const secretFile of secretFiles) {
@@ -240,6 +249,13 @@ class ConfigurationLoader {
           clientSecret: secrets.auth0_management_client_secret,
         };
       },
+
+      getStripeConfig() {
+        return {
+          secretKey: secrets.stripe_secret_key,
+          webhookSecret: secrets.stripe_webhook_secret,
+        };
+      },
     };
 
     // Set RESEND_API_KEY in environment for EmailService