docs(roadmap): record production config hardening

docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md

@@ -138,7 +138,7 @@ Acceptance criteria:
 
 Goal: production starts fail closed and do not silently run with development-only security.
 
-- [ ] **P3.1** Change backend config validation so production cannot use default `JWT_SECRET`, memory DB, disabled encryption by accident, or missing Cosmos credentials. Keep test/dev ergonomics intact. Commit:
+- [x] **P3.1** Change backend config validation so production cannot use default `JWT_SECRET`, memory DB, disabled encryption by accident, or missing Cosmos credentials. Keep test/dev ergonomics intact. Commit: `e7d381f`; Verified: `GITEA_NPM_TOKEN=dummy pnpm --filter @notelett/backend run typecheck`; `node --import tsx --input-type=module -e "import { parseConfig } from './src/lib/config.ts'; ..."` accepted a safe production env and rejected unsafe defaults; `git diff --check`. Added exported `parseConfig()`, safe string boolean parsing, development JWT defaulting only for non-production ergonomics, production rejection for default/short JWT secrets, memory DB, missing Cosmos endpoint/key/database, disabled field encryption, and production memory key provider.
 - [ ] **P3.2** Add tests for production config validation: missing secret, default secret, memory DB in production, missing Cosmos env, encryption provider requirements. Commit:
 - [ ] **P3.3** Review all unauthenticated backend endpoints. Keep `/health`, `/api/bootstrap`, and public share reads intentional; protect diagnostics or make them explicitly dev/admin-gated. Commit:
 - [ ] **P3.4** Add or verify rate limiting and abuse controls for public share, auth-facing, prompt, intake, and LLM-backed endpoints using shared platform patterns where available. Commit: