diff --git a/cmd/hyperfleet-api/environments/framework_test.go b/cmd/hyperfleet-api/environments/framework_test.go
index 00fe8346..8ec30df5 100755
--- a/cmd/hyperfleet-api/environments/framework_test.go
+++ b/cmd/hyperfleet-api/environments/framework_test.go
@@ -4,6 +4,7 @@ import (
 	"reflect"
 	"testing"
 
+	. "github.com/onsi/gomega"
 	"github.com/spf13/pflag"
 
 	"github.com/openshift-hyperfleet/hyperfleet-api/pkg/config"
@@ -51,3 +52,11 @@ func TestLoadServices(t *testing.T) {
 		}
 	}
 }
+
+func TestEnvironmentDefaultIsProduction(t *testing.T) {
+	RegisterTestingT(t)
+	Expect(EnvironmentDefault).To(
+		Equal(ProductionEnv),
+		"EnvironmentDefault must be ProductionEnv for secure-by-default behavior",
+	)
+}
diff --git a/cmd/hyperfleet-api/environments/types.go b/cmd/hyperfleet-api/environments/types.go
index 10c30ae0..cf267930 100755
--- a/cmd/hyperfleet-api/environments/types.go
+++ b/cmd/hyperfleet-api/environments/types.go
@@ -15,7 +15,7 @@ const (
 	ProductionEnv         string = "production"
 
 	EnvironmentStringKey string = "HYPERFLEET_ENV"
-	EnvironmentDefault          = DevelopmentEnv
+	EnvironmentDefault          = ProductionEnv
 
 	// Database SSL modes
 	SSLModeDisable string = "disable"
diff --git a/docs/development.md b/docs/development.md
index aeff986a..ecb4b050 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -91,6 +91,8 @@ pre-commit run --all-files
 make run-no-auth
 ```
 
+**Note**: The default runtime environment is `production` (JWT and TLS enabled). The `make run-no-auth` target explicitly disables authentication for local development. If running the binary directly, set `HYPERFLEET_ENV=development` or use `--server-jwt-enabled=false`.
+
 The service starts on `localhost:8000`:
 - REST API: `http://localhost:8000/api/hyperfleet/v1/`
 - OpenAPI spec: `http://localhost:8000/api/hyperfleet/v1/openapi`