Fix R01-N04: drop unused SESSION_SECRET from env template + docs

The env var was documented as the salt for "session cookie name / CSRF
tokens" but nothing in the code reads it: CSRF tokens come from
random_bytes(32), the session id is whatever PHP generates, and
SessionGuard never references the value. An operator who rotated the
secret expecting active sessions / tokens to invalidate would get a
false sense of security.

Removed from:
- .env.example (the documented surface)
- SPEC.md §8 (the canonical env block)
- README.md (the "minimum to sign in" cheat-sheet)
- doc/admin-manual.md §3.3 dropped entirely; §3.4 → §3.3,
  §3.5 → §3.4, §3.6 → §3.5 to close the gap

Per REVIEW_01.md's two options: this is the smaller change and matches
what the code actually does. Wiring the value into a CSRF HMAC or
session-id derivation is the alternative — recorded as a follow-up if a
deploy-time rotation knob is wanted later.

Existing deployments' .env files keep their (unused) SESSION_SECRET=
line; it's now dead weight but harmless. Operators may delete it on the
next config touch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.env.example

@@ -7,9 +7,6 @@ ENTRA_CLIENT_SECRET=
 # Used to build the OIDC redirect URI {APP_BASE_URL}/auth/callback
 APP_BASE_URL=http://localhost:8080
 
-# Random string (>=32 bytes). Used to salt the session cookie name / CSRF tokens.
-SESSION_SECRET=
-
 # Path to the SQLite database file inside the container. Leave as-is unless
 # you have a specific reason to change it. The parent dir is the mounted
 # volume (/var/www/data).

README.md

@@ -29,7 +29,6 @@ cd sprint_planer_web
 cp .env.example .env
 
 # 3. Edit .env. The minimum to sign in without Entra is:
-#      SESSION_SECRET=<random 32+ bytes, e.g. `openssl rand -hex 32`>
 #      LOCAL_ADMIN_EMAIL=you@example.com
 #      LOCAL_ADMIN_PASSWORD=<a long passphrase>
 #    For Entra-based sign-in, fill ENTRA_TENANT_ID / ENTRA_CLIENT_ID /

SPEC.md

@@ -263,7 +263,6 @@ ENTRA_TENANT_ID=
 ENTRA_CLIENT_ID=
 ENTRA_CLIENT_SECRET=
 APP_BASE_URL=http://localhost:8080
-SESSION_SECRET=
 DB_PATH=/var/www/data/app.sqlite
 SESSION_PATH=/var/www/data/sessions
 APP_ENV=production

doc/admin-manual.md

@@ -87,25 +87,7 @@ what is registered in Entra. For local testing the default
 port `8088`, so use `http://localhost:8088` if you have not edited
 `docker-compose.yml`.
 
-### 3.3 Session secret
-
-```
-SESSION_SECRET=<random string, at least 32 bytes>
-```
-
-Used to derive the session cookie name and CSRF tokens. Generate one with
-either of:
-
-```bash
-openssl rand -hex 32
-# or
-head -c 48 /dev/urandom | base64
-```
-
-Rotating this value invalidates all active sessions — users will need to
-sign in again, but no data is lost.
-
-### 3.4 Database and session storage paths
+### 3.3 Database and session storage paths
 
 ```
 DB_PATH=/var/www/data/app.sqlite
@@ -116,7 +98,7 @@ Leave the defaults unless you are also remapping the volume. The parent
 directory `/var/www/data` is the volume mount point inside the container
 and corresponds to `./data/` on the host.
 
-### 3.5 Environment mode
+### 3.4 Environment mode
 
 ```
 APP_ENV=production
@@ -125,7 +107,7 @@ APP_ENV=production
 `production` silences verbose PHP errors. Any other value (e.g. `dev`)
 turns them on — useful when troubleshooting in a non-public install.
 
-### 3.6 Local admin fallback (optional)
+### 3.5 Local admin fallback (optional)
 
 ```
 LOCAL_ADMIN_EMAIL=admin@example.com