diff --git a/src/backend/middleware/auth.js b/src/backend/middleware/auth.js
index 7df2ec9..bbb5691 100644
--- a/src/backend/middleware/auth.js
+++ b/src/backend/middleware/auth.js
@@ -7,21 +7,28 @@ const jwt = require('jsonwebtoken');
 function authenticateUser(req, res, next) {
   try {
     // In development mode, allow requests without auth for testing
-    if (process.env.NODE_ENV === 'development') {
+    // SECURITY: This bypass only works if BOTH conditions are met:
+    // 1. NODE_ENV is 'development'
+    // 2. ALLOW_DEV_BYPASS is explicitly set to 'true'
+    const isDevelopment = process.env.NODE_ENV === 'development';
+    const allowDevBypass = process.env.ALLOW_DEV_BYPASS === 'true';
+
+    if (isDevelopment && allowDevBypass) {
       // Check for token, but if not present, use demo user
       const authHeader = req.headers.authorization;
-      
+
       if (!authHeader || !authHeader.startsWith('Bearer ')) {
         // Use demo user for development
+        console.warn('⚠️  Development mode: Using demo user without authentication');
         req.user = {
           id: 'demo-user-123',
           email: 'demo@aethex.dev'
         };
         return next();
       }
-      
+
       const token = authHeader.substring(7);
-      
+
       // Try to verify, but don't fail if invalid
       try {
         const decoded = jwt.verify(token, process.env.JWT_SECRET);
@@ -31,15 +38,16 @@ function authenticateUser(req, res, next) {
         };
       } catch {
         // Use demo user if token invalid
+        console.warn('⚠️  Development mode: Invalid token, using demo user');
         req.user = {
           id: 'demo-user-123',
           email: 'demo@aethex.dev'
         };
       }
-      
+
       return next();
     }
-    
+
     // Production: Strict auth required
     const authHeader = req.headers.authorization;
     
diff --git a/src/backend/services/callService.js b/src/backend/services/callService.js
index a59642c..bd6a0fa 100644
--- a/src/backend/services/callService.js
+++ b/src/backend/services/callService.js
@@ -29,6 +29,10 @@ class CallService {
       [conversationId]
     );
 
+    if (conversationResult.rows.length === 0) {
+      throw new Error(`Conversation ${conversationId} not found`);
+    }
+
     const conversation = conversationResult.rows[0];
 
     // Determine if group call
@@ -249,9 +253,12 @@ class CallService {
   async generateTURNCredentials(userId) {
     const timestamp = Math.floor(Date.now() / 1000) + 86400; // 24 hour TTL
     const username = `${timestamp}:${userId}`;
-    
+
     // Generate credential using HMAC
-    const turnSecret = process.env.TURN_SECRET || 'default-secret-change-me';
+    const turnSecret = process.env.TURN_SECRET;
+    if (!turnSecret) {
+      throw new Error('TURN_SECRET environment variable must be set for TURN server authentication');
+    }
     const hmac = crypto.createHmac('sha1', turnSecret);
     hmac.update(username);
     const credential = hmac.digest('base64');
@@ -265,8 +272,12 @@ class CallService {
       [userId, username, credential, timestamp]
     );
 
-    const turnHost = process.env.TURN_SERVER_HOST || 'turn.aethex.app';
-    const turnPort = process.env.TURN_SERVER_PORT || '3478';
+    const turnHost = process.env.TURN_SERVER_HOST;
+    const turnPort = process.env.TURN_SERVER_PORT;
+
+    if (!turnHost || !turnPort) {
+      throw new Error('TURN_SERVER_HOST and TURN_SERVER_PORT environment variables must be set');
+    }
 
     return {
       urls: [
diff --git a/src/backend/services/gameforgeIntegration.js b/src/backend/services/gameforgeIntegration.js
index 4ae2418..a8e273a 100644
--- a/src/backend/services/gameforgeIntegration.js
+++ b/src/backend/services/gameforgeIntegration.js
@@ -36,6 +36,10 @@ class GameForgeIntegrationService {
       ]
     );
 
+    if (integrationResult.rows.length === 0) {
+      throw new Error('Failed to create GameForge integration');
+    }
+
     const integration = integrationResult.rows[0];
 
     // Create channels
@@ -88,13 +92,17 @@ class GameForgeIntegrationService {
     const description = this.getChannelDescription(channelName);
 
     const conversationResult = await db.query(
-      `INSERT INTO conversations 
+      `INSERT INTO conversations
        (type, title, description, created_by, gameforge_project_id)
        VALUES ('group', $1, $2, $3, $4)
        RETURNING *`,
       [title, description, ownerId, projectId]
     );
 
+    if (conversationResult.rows.length === 0) {
+      throw new Error('Failed to create conversation for GameForge channel');
+    }
+
     const conversation = conversationResult.rows[0];
 
     // Add team members based on permissions
diff --git a/src/backend/services/messagingService.js b/src/backend/services/messagingService.js
index 6847b45..3fd2a72 100644
--- a/src/backend/services/messagingService.js
+++ b/src/backend/services/messagingService.js
@@ -287,8 +287,13 @@ class MessagingService {
       `SELECT username, verified_domain, avatar_url FROM users WHERE id = $1`,
       [userId]
     );
+
+    if (userResult.rows.length === 0) {
+      throw new Error(`User ${userId} not found`);
+    }
+
     const user = userResult.rows[0];
-    
+
     return {
       id: message.id,
       conversationId: message.conversation_id,