[BOUNTY] Validate required production secrets in config generator (#1)

[leo202000]

Summary

Closes #1. Adds focused validation for required production secrets so a production config is never accepted with empty or placeholder-like secret values.

Changes

• tools/config_generator.py:
  • validate_required_secrets(config, env) returns human-readable errors that identify the offending key path but never print the secret value
  • generate_config("production") raises SecretValidationError when any required secret is empty, missing, or placeholder-like (e.g. changeme, placeholder, todo, <set-me>, or values shorter than 8 chars)
  • load_secret_overrides() reads TOT_DATABASE_PASSWORD / TOT_REDIS_PASSWORD / TOT_JWT_SECRET so production configs can be generated from env vars / a vault
  • Non-production environments (development, staging) skip validation so sample config generation stays compatible
• tests/test_config_secret_validation.py: 16 tests covering valid, missing, placeholder-like, short, non-prod compatibility, no-value-leak, and env-var loading
• docs/OPERATIONS.md: documents the validation behavior and required env vars under the Security section

Testing

Ran locally (Windows, Python 3.14):

• python -m unittest tests.test_config_secret_validation -> 16 passed
• python -m unittest discover -s tests -> 24 passed (no regressions in existing tests)
• python tools/config_generator.py --env production --stdout -> fails fast listing the 3 missing secrets (no traceback)
• python tools/config_generator.py --env development --format json --stdout -> succeeds (non-prod compatible)
• With TOT_* env vars set, production generation succeeds and secrets are masked by default (--show-sensitive reveals them)
• Diagnostic build log generated via build.py and included at diagnostic/build-e3f58e84.logd

Checklist

• Relevant modules affected by these changes build locally
• Tests pass locally
• Diagnostic build log is committed in this PR
• Documentation has been updated, if applicable
• Configuration or schema changes are documented, if applicable
• No generated build artifacts are committed, except the required diagnostic build log
• Changes are scoped to the PR purpose and avoid unrelated cleanup
• Security, privacy, and error-handling implications have been considered

---

• I would like to request that my diagnostic build log is removed before merging

[Soengkit]

Closing this PR because the linked fork issue is only a closed payout tracker for an already submitted upstream PR. This fork is not an active bounty intake or payment authority, and it is not accepting external submissions or payment details here.