Security & Configuration Notes Baseline controls Import endpoint is now admin-gated. Import payloads are validated before processing. Env vars are validated at startup via src/env.ts. Recommended operations policy Set ADMIN_EMAILS in production (comma-separated list). Rotate NEXTAUTH_SECRET for each environment. Never commit .env files containing real secrets. Restrict who can access /import at network or app routing level if possible. Monitor import usage and keep a server log/audit trail. Environment variables DATABASE_URL NEXTAUTH_SECRET STRAVA_CLIENT_ID STRAVA_CLIENT_SECRET ADMIN_EMAILS (optional, recommended in prod)