fix: DevSessionKey wrong length (closes #19)

Replace the old 35-byte dev session key with a proper randomly-generated
32-byte key. Also ensure dev mode actually falls back to DevSessionKey
when SESSION_KEY is not set in the environment, rather than leaving
SessionKey empty and failing at session creation.

Update tests to remove the old key references.

internal/config/config.go

@@ -22,9 +22,10 @@ const (
 	EnvironmentDev = "dev"
 	// EnvironmentProd represents production environment
 	EnvironmentProd = "prod"
-	// DevSessionKey is an insecure default session key for development
-	// This is "webhooker-dev-session-key-insecure!" base64 encoded
-	DevSessionKey = "d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE="
+	// DevSessionKey is an insecure default 32-byte session key for development.
+	// NEVER use this key in production. It exists solely so that `make dev`
+	// works without requiring SESSION_KEY to be set.
+	DevSessionKey = "0oaEeAhFe7aXn9DkZ/oiSN+QbAxXxcoxAnGX9TADkp8="
 )
 
 // nolint:revive // ConfigParams is a standard fx naming convention
@@ -142,8 +143,9 @@ func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
 		return nil, fmt.Errorf("SESSION_KEY is required in production environment")
 	}
 
-	// In development mode, warn if using default session key
-	if s.IsDev() && s.SessionKey == DevSessionKey {
+	// In development mode, fall back to the insecure default key
+	if s.IsDev() && s.SessionKey == "" {
+		s.SessionKey = DevSessionKey
 		log.Warn("Using insecure default session key for development mode")
 	}