chore(env): add JWT secret key requirement and update CORS origin

- Add JWT_SECRET_KEY to .env.example with explanation and generation instructions
- Update CORS_ALLOWED_ORIGIN comment to clarify production requirement
- Reorder environment variables for better clarity

Author: fulleni

.env.example

@@ -6,7 +6,12 @@
 # The application cannot start without a database connection.
 # DATABASE_URL="mongodb://user:password@localhost:27017/ht_api_db"
 
+# REQUIRED: A secure, randomly generated secret for signing JWTs.
+# The application cannot start without this.
+# Generate a secure key using: dart pub global run dcli_scripts create_key
+# JWT_SECRET_KEY="your-super-secret-and-long-jwt-key"
+
 # REQUIRED FOR PRODUCTION: The specific origin URL of your web client.
 # This allows the client (e.g., the HT Dashboard) to make requests to the API.
 # For local development, this can be left unset as 'localhost' is allowed by default.
-# CORS_ALLOWED_ORIGIN="https://your-dashboard.com"
+# CORS_ALLOWED_ORIGIN="https://your-dashboard.com"