hey, the docs/deployed-contracts.md addition itself looks fine and closes the doc gap, but this PR has serious scope problems that block merging:

1. Security smell in production middleware. backend/src/middleware/jwtAuth.ts adds an if (process.env.NODE_ENV === "test") block that accepts hardcoded test-token / test-admin-token strings as authenticated users. backend/src/controllers/loanController.ts does the same for test-* user prefixes. NODE_ENV branches inside production code paths are a footgun — a misconfigured deploy or a downstream consumer setting NODE_ENV=test reopens the backdoor. Test-only behavior should live in test fixtures/mocks, not in shipped middleware.

2. Scope creep. The PR title is "docs: add deployed-contracts.md" but it touches 10 files including app.ts (adds backwards-compat root mounts), loanController, jwtAuth, loanAccess, notificationService, webhookService, and frontend/utils/amount.ts. Those changes need their own scoped PRs.

To unblock: please split this into:

• one PR with only docs/deployed-contracts.md + the README/CONTRIBUTING links pointing to it (closes #958)
• separate PRs (if the changes are actually needed) for the app mounts, the controller refactors, and the amount.ts update — none with NODE_ENV backdoors

happy to review the doc-only PR fast once it's split out.