Security: Remove hardcoded webhook secret from kestra_client.py

## Description
The Kestra webhook secret is hardcoded in `backend/app/core/kestra_client.py` line 31:

```python
webhook_key = "redloop_secret"
```

This is a security vulnerability that exposes the webhook authentication to anyone with code access.

## Impact
- Anyone can trigger Kestra workflows by knowing the secret
- Security breach if repository is public
- Violates security best practices

## Fix Required
1. Move secret to environment variable: `KESTRA_WEBHOOK_KEY`
2. Update `backend/.env.example` with placeholder
3. Read from environment: `os.getenv("KESTRA_WEBHOOK_KEY")`
4. Update documentation with setup instructions
5. Rotate the actual secret in production

## Location
- **File**: `backend/app/core/kestra_client.py`
- **Line**: 31
- **Introduced in**: PR #37 (commit b71260e)

## Related Issues
- Issue #16 (Authentication)
- Issue #24 (Security headers & rate limiting)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Remove hardcoded webhook secret from kestra_client.py #38

Description

Impact

Fix Required

Location

Related Issues

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security: Remove hardcoded webhook secret from kestra_client.py #38

Description

Description

Impact

Fix Required

Location

Related Issues

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions