Phase 1 MVP - Complete implementation

- Auth: register, login, JWT with refresh tokens, blocklist
- Projects/Folders/Documents CRUD with soft deletes
- Tags CRUD and assignment
- FTS5 search with highlights and tag filtering
- ADR-001, ADR-002, ADR-003 compliant
- Security fixes applied (JWT_SECRET_KEY, exception handler, cookie secure)
- 25 tests passing

app/config.py

@@ -0,0 +1,45 @@
+import os
+from pathlib import Path
+
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+
+def _resolve_db_url(url: str) -> str:
+    """Convert relative sqlite path to absolute path."""
+    if url.startswith("sqlite+aiosqlite:///./"):
+        # Convert relative path to absolute
+        rel_path = url.replace("sqlite+aiosqlite:///./", "")
+        abs_path = Path("/root/.openclaw/workspace-orchestrator/backend").resolve() / rel_path
+        return f"sqlite+aiosqlite:///{abs_path}"
+    return url
+
+
+class Settings(BaseSettings):
+    model_config = SettingsConfigDict(env_file=".env", extra="ignore")
+
+    DATABASE_URL: str = "sqlite+aiosqlite:///./data/claudia_docs.db"
+    JWT_SECRET_KEY: str
+    JWT_ALGORITHM: str = "HS256"
+    JWT_ACCESS_TOKEN_EXPIRE_MINUTES: int = 15
+    JWT_REFRESH_TOKEN_EXPIRE_DAYS: int = 7
+    CORS_ORIGINS: str = "http://localhost:5173,http://localhost:80"
+    HOST: str = "0.0.0.0"
+    PORT: int = 8000
+    LOG_LEVEL: str = "INFO"
+    INITIAL_ADMIN_USERNAME: str = "admin"
+    INITIAL_ADMIN_PASSWORD: str = "admin123"
+
+    @property
+    def resolved_database_url(self) -> str:
+        return _resolve_db_url(self.DATABASE_URL)
+
+    @property
+    def cors_origins_list(self) -> list[str]:
+        return [o.strip() for o in self.CORS_ORIGINS.split(",") if o.strip()]
+
+
+settings = Settings()
+
+# Validate required secrets at startup
+if not settings.JWT_SECRET_KEY or settings.JWT_SECRET_KEY == "change-me-super-secret-key-min32chars!!":
+    raise ValueError("JWT_SECRET_KEY must be set in environment variables")