fix: remove JWT_SECRET env var — server manages it exclusively

Setting JWT_SECRET via environment variable was broken by design:
the admin panel rotation updates the in-memory binding and persists
the new value to data/.jwt_secret, but an env var would silently
override it on the next restart, reverting the rotation.

The server now always loads JWT_SECRET from data/.jwt_secret
(auto-generating it on first start), making the file the single
source of truth. Rotation is handled exclusively through the admin
panel.

- config.ts: drop process.env.JWT_SECRET fallback and
  JWT_SECRET_IS_GENERATED export; always read from / write to
  data/.jwt_secret
- index.ts: remove the now-obsolete JWT_SECRET startup warning
- .env.example, docker-compose.yml, README: remove JWT_SECRET entries
- Helm chart: remove JWT_SECRET from secretEnv, secret.yaml, and
  deployment.yaml; rename generateJwtSecret → generateEncryptionKey
  and update NOTES.txt and README accordingly

server/src/index.ts

@@ -1,5 +1,4 @@
 import 'dotenv/config';
-import { JWT_SECRET_IS_GENERATED } from './config';
 import express, { Request, Response, NextFunction } from 'express';
 import { enforceGlobalMfaPolicy } from './middleware/mfaPolicy';
 import cors from 'cors';
@@ -268,9 +267,6 @@ const server = app.listen(PORT, () => {
     '──────────────────────────────────────',
   ];
   banner.forEach(l => console.log(l));
-  if (JWT_SECRET_IS_GENERATED) {
-    sLogWarn('[SECURITY WARNING] JWT_SECRET was auto-generated. Sessions will not persist across restarts. Set JWT_SECRET env var for production use.');
-  }
   if (process.env.DEMO_MODE === 'true') sLogInfo('Demo mode: ENABLED');
   if (process.env.DEMO_MODE === 'true' && process.env.NODE_ENV === 'production') {
     sLogWarn('SECURITY WARNING: DEMO_MODE is enabled in production!');