fix: use file-based secrets for Stripe API keys (refs #55)

backend/src/features/subscriptions/CLAUDE.md

@@ -45,10 +45,13 @@ Stripe payment integration for subscription tiers and donations.
 ### Webhooks (Public)
 - POST /api/webhooks/stripe - Stripe webhook (signature verified)
 
-## Environment Variables
+## Configuration
 
-- STRIPE_SECRET_KEY
-- STRIPE_WEBHOOK_SECRET
+### Secrets (files via config-loader)
+- `/run/secrets/stripe-secret-key` - Stripe API secret key
+- `/run/secrets/stripe-webhook-secret` - Stripe webhook signing secret
+
+### Environment Variables (docker-compose)
 - STRIPE_PRO_MONTHLY_PRICE_ID
 - STRIPE_PRO_YEARLY_PRICE_ID
 - STRIPE_ENTERPRISE_MONTHLY_PRICE_ID

backend/src/features/subscriptions/README.md

@@ -151,11 +151,18 @@ When user downgrades to a tier with fewer vehicle allowance:
 5. Selections saved to tier_vehicle_selections table
 6. On upgrade, all vehicles become accessible again
 
-## Environment Variables
+## Configuration
 
+### Secrets (loaded from files via config-loader)
+Secrets are loaded from `/run/secrets/` (or `SECRETS_DIR` env var):
+```
+/run/secrets/stripe-secret-key      # Stripe API secret key
+/run/secrets/stripe-webhook-secret  # Stripe webhook signing secret
+```
+
+### Environment Variables (docker-compose)
+Price IDs are not secrets and are configured via environment variables:
 ```
-STRIPE_SECRET_KEY=sk_live_...
-STRIPE_WEBHOOK_SECRET=whsec_...
 STRIPE_PRO_MONTHLY_PRICE_ID=price_...
 STRIPE_PRO_YEARLY_PRICE_ID=price_...
 STRIPE_ENTERPRISE_MONTHLY_PRICE_ID=price_...

backend/src/features/subscriptions/external/stripe/stripe.client.ts

@@ -5,6 +5,7 @@
 
 import Stripe from 'stripe';
 import { logger } from '../../../../core/logging/logger';
+import { appConfig } from '../../../../core/config/config-loader';
 import {
   StripeCustomer,
   StripeSubscription,
@@ -14,18 +15,18 @@ import {
 
 export class StripeClient {
   private stripe: Stripe;
+  private webhookSecret: string;
 
   constructor() {
-    const apiKey = process.env.STRIPE_SECRET_KEY;
-    if (!apiKey) {
-      throw new Error('STRIPE_SECRET_KEY environment variable is required');
-    }
+    const stripeConfig = appConfig.getStripeConfig();
 
-    this.stripe = new Stripe(apiKey, {
+    this.stripe = new Stripe(stripeConfig.secretKey, {
       apiVersion: '2025-12-15.clover',
       typescript: true,
     });
 
+    this.webhookSecret = stripeConfig.webhookSecret;
+
     logger.info('Stripe client initialized');
   }
 
@@ -237,15 +238,10 @@ export class StripeClient {
    */
   constructWebhookEvent(payload: Buffer, signature: string): StripeWebhookEvent {
     try {
-      const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;
-      if (!webhookSecret) {
-        throw new Error('STRIPE_WEBHOOK_SECRET environment variable is required');
-      }
-
       const event = this.stripe.webhooks.constructEvent(
         payload,
         signature,
-        webhookSecret
+        this.webhookSecret
       );
 
       logger.info('Stripe webhook event verified', { eventId: event.id, type: event.type });