Weak default fallback secrets allow JWT and CSRF token forgery in cobc-events

cobc-events <1.0.1 fell back to hard-coded development secrets when JWT_SECRET / SESSION_SECRET were unset, allowing forgery of session JWTs and CSRF HMAC tokens.