모바일 fallback 변경. .env유출 가능성 차단

test/userfront_loading_performance_policy_test.sh

@@ -46,6 +46,13 @@ if rg -n "gzip|gzipSync|\\.gz" userfront/nginx.conf userfront/scripts/optimize-w
   fail "userfront web compression must be managed as brotli-only"
 fi
 rg -q "Cache-Control.*no-cache" userfront/nginx.conf || fail "HTML/app shell must use no-cache revalidation"
+if rg -n "assets/\\.env|/\\.env|runtimeEnvBody|dotenv\\.load" userfront/lib userfront/nginx.conf userfront-e2e/scripts/serve-userfront-build.mjs; then
+  fail "userfront must not request, load, or serve public .env assets to browsers"
+fi
+if rg -n "/usr/share/nginx/html/.+\\.env|assets/\\.env|cp .+\\.env" docker/docker-compose.staging.template.yaml docker/staging_pull_compose.template.yaml; then
+  fail "userfront deployment must not write runtime .env into the public static document root"
+fi
+rg -q "\\[userfront-runtime\\] BACKEND_URL configured" docker/docker-compose.staging.template.yaml docker/staging_pull_compose.template.yaml || fail "userfront runtime config presence must be logged server-side only"
 rg -q "Cache-Control.*immutable" userfront/nginx.conf || fail "versioned static assets must use immutable cache"
 
 tmp_dir="$(mktemp -d)"