Harden security, modularize API bootstrap, and fix scale SSE auth.

Block web access to sensitive paths, require API_TOKEN for mutations, encrypt GitHub issue credentials in .env, auto-provision tokens for same-origin clients, and pass api_token in scale relay URLs since EventSource cannot send headers.

Co-authored-by: Cursor <cursoragent@cursor.com>

.env.example

@@ -125,10 +125,24 @@ GDRIVE_FOLDER_ID=
 GDRIVE_RETENTION_DAYS=30
 
 # ── Security ─────────────────────────────────────────────────────────────────
-# SETTINGS_TOKEN: if set, the Settings screen requires this token to save changes.
-# Leave empty to allow anyone with access to the server to change settings.
+# API_TOKEN: when set, all API calls require header X-API-Token (or ?api_token= for HA).
+# SETTINGS_TOKEN: legacy alias — use API_TOKEN for new installs.
+API_TOKEN=
 SETTINGS_TOKEN=
 
+# CORS_ORIGIN: comma-separated allowed origins (empty = same-origin only, no wildcard)
+CORS_ORIGIN=
+
+# GitHub automatic issue reporting (encrypted storage recommended)
+# Option A — plain ( .env is gitignored ):
+# GH_ISSUE_TOKEN=ghp_...
+# Option B — encrypted (php scripts/encrypt-gh-token.php 'ghp_...' 'secret-key'):
+GH_ISSUE_TOKEN=
+GH_ISSUE_TOKEN_ENC=
+GH_ISSUE_TOKEN_KEY=
+
+# NOTE: Run `php scripts/migrate-env-security.php` once after upgrading to migrate legacy tokens.
+
 # INSTANCE_NAME: display name for this EverShelf instance (used by the HA integration
 # for Zeroconf discovery label and device name in Home Assistant).
 # Defaults to the server hostname if left empty.
@@ -160,5 +174,5 @@ HA_EXPIRY_DAYS=3
 # DEMO_MODE: when true, all write operations are blocked (for public demos)
 DEMO_MODE=false
 
-# NOTE: GitHub error reporting uses a token hardcoded in api/index.php.
-# To rotate it, update the GH_ISSUE_TOKEN constant there.
+# CRON_LOG_MAX_BYTES: rotate data/cron.log when larger (default 524288 = 512 KB)
+CRON_LOG_MAX_BYTES=524288