fix: use file-based secrets for Stripe API keys (refs #55)

backend/src/features/subscriptions/CLAUDE.md

@@ -45,10 +45,13 @@ Stripe payment integration for subscription tiers and donations.
 ### Webhooks (Public)
 - POST /api/webhooks/stripe - Stripe webhook (signature verified)
 
-## Environment Variables
+## Configuration
 
-- STRIPE_SECRET_KEY
-- STRIPE_WEBHOOK_SECRET
+### Secrets (files via config-loader)
+- `/run/secrets/stripe-secret-key` - Stripe API secret key
+- `/run/secrets/stripe-webhook-secret` - Stripe webhook signing secret
+
+### Environment Variables (docker-compose)
 - STRIPE_PRO_MONTHLY_PRICE_ID
 - STRIPE_PRO_YEARLY_PRICE_ID
 - STRIPE_ENTERPRISE_MONTHLY_PRICE_ID