security: remove .env from tracking (contains secrets)

apps/api/src/index.ts

@@ -1,6 +1,7 @@
 import app from './app';
 import { env, initEnv } from './config/env';
 import { refreshAllKeys, startKeyRotation, stopKeyRotation } from './services/key-rotation.service';
+import { isCryptoReady } from './services/crypto.service';
 import { logger } from './lib/logger';
 
 async function main() {
@@ -8,6 +9,13 @@ async function main() {
 
   await initEnv();
   await refreshAllKeys();
+
+  // Custodial: без master-key сервис не может расшифровать ни одну мнемонику — fail fast.
+  if (!isCryptoReady()) {
+    logger.error('Crypto master key not loaded — refusing to start (custodial wallets require it)');
+    process.exit(1);
+  }
+
   startKeyRotation();
 
   const server = app.listen(env.port, () => {