FCA-grade security controls around auth, PII, and prompt injection:
SECRET_KEY
field_validator
en_core_web_lg
passlib.context.CryptContext(schemes=["bcrypt"])