ea0b3050e4
Some checks failed
Addresses Nora's review concern on #513/#516. The previous fix only made env-vars take effect — it did NOT close the fail-open default path. If an operator forgets APP_ADMIN_USERNAME / APP_ADMIN_PASSWORD on first prod boot, the seeded admin is the well-known `admin@familienarchiv.local` / `admin123` and is permanently locked (UserDataInitializer only seeds when the row is missing). Refuse to seed outside dev/test/e2e profiles when either credential matches the documented default. The startup fails fast with a clear message pointing at the env-var names and the permanence trap. Also adds Markus/Felix/Sara's "pin the Java side" coverage: a reflection test on the @Value placeholder catches a future rename of `${app.admin.email:...}` back to `${app.admin.username:...}`, which would otherwise pass the yaml-side test but silently break the binding. Tests: - AdminSeedFailClosedTest pins fail-closed for non-local profiles and verifies the dev/test/e2e bypass. - AdminSeedPropertyKeyTest now also asserts the @Value placeholder string on UserDataInitializer.adminEmail/adminPassword. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>