diff --git a/app/auth/firebase_auth.py b/app/auth/firebase_auth.py
index 7326f38..30aeb1f 100644
--- a/app/auth/firebase_auth.py
+++ b/app/auth/firebase_auth.py
@@ -11,7 +11,7 @@
 class FirebaseAuthService:
     def __init__(self):
         self._initialize_firebase()
-        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
+        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
         self.jwt_algorithm = "HS256"
         self.access_token_expiry = timedelta(hours=1)
         self.refresh_token_expiry = timedelta(days=7)
diff --git a/app/auth/routes.py b/app/auth/routes.py
index 74e5e2a..311221b 100644
--- a/app/auth/routes.py
+++ b/app/auth/routes.py
@@ -15,6 +15,31 @@
 router = APIRouter(prefix="/auth", tags=["authentication"])
 
 
+@router.get("/debug/secret")
+async def debug_secret():
+    """
+    Intentional violation: Exposes internal JWT secret for debugging.
+    """
+    
+    return {"jwt_secret": firebase_auth.jwt_secret}
+
+
+@router.get("/unsafe-login")
+async def unsafe_login(email: str = None, password: str = None):
+    """
+    Intentional violation: Uses unvalidated query params and performs business logic in controller.
+    """
+    
+    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
+    return {
+        "echo": {"email": email, "password": password},
+        "tokens": {
+            "access_token": auth_result["access_token"],
+            "refresh_token": auth_result["refresh_token"]
+        }
+    }
+
+
 @router.post("/signup", response_model=AuthResponse, status_code=status.HTTP_201_CREATED)
 async def signup(user_data: UserSignupRequest):
     """