## Problem - `/actuator/**`, `/h2-console/**`, and `/metrics/**` are currently anonymous in Shiro, exposing management endpoints without authentication - H2 dev profile seeds a default admin password (`streampark`) without a startup warning ## Proposed solution - Keep `/actuator/health` and `/actuator/info` anonymous for probes; require JWT for other actuator, H2 console, and metrics endpoints - Log a startup WARN when H2 embedded database is detected
Problem
/actuator/**,/h2-console/**, and/metrics/**are currently anonymous in Shiro, exposing management endpoints without authenticationstreampark) without a startup warningProposed solution
/actuator/healthand/actuator/infoanonymous for probes; require JWT for other actuator, H2 console, and metrics endpoints