fix(security): reject placeholder/weak JWT secrets at startup

The env-validation module previously only checked that JWT_SECRET and
JWT_REFRESH_SECRET were _present_ — it accepted any value, including
known placeholders like "CHANGE_ME". This meant a developer could copy
.env.example verbatim and run the app with predictable, forgeable tokens.

Changes:
- Add FORBIDDEN_SECRET_VALUES blocklist (case-insensitive) with 23 common
  placeholder strings (CHANGE_ME, secret, password, test, etc.)
- Enforce minimum 32-character length for JWT secrets (NIST HMAC guidance)
- Export validateJwtSecret() for direct testing and reuse
- Update .env.example: replace "CHANGE_ME" with generation instructions
- Add 14 unit tests covering placeholder rejection, length enforcement,
  missing-var errors, and production-mode validation

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/modules/shared/infrastructure/index.ts

@@ -11,4 +11,4 @@ export { maskPii } from './pii-masker';
 export { ThrottlerBehindProxyGuard } from './guards/throttler-behind-proxy.guard';
 export { FileValidationPipe } from './pipes/file-validation.pipe';
 export type { FileValidationOptions } from './pipes/file-validation.pipe';
-export { validateEnv } from './env-validation';
+export { validateEnv, validateJwtSecret } from './env-validation';