diff --git a/src/main/java/com/seanstarkey/notesvault/NotesVaultApplication.java b/src/main/java/com/seanstarkey/notesvault/NotesVaultApplication.java
new file mode 100644
index 0000000..d8c1b03
--- /dev/null
+++ b/src/main/java/com/seanstarkey/notesvault/NotesVaultApplication.java
@@ -0,0 +1,53 @@
+/**
+ * NotesVaultApplication.java
+ *
+ * Entry point for the Secure Notes Vault API. Bootstraps the Spring Boot application,
+ * enables JPA auditing for automatic timestamp management, and emits a startup warning
+ * if the JWT secret is still set to the insecure development default.
+ */
+package com.seanstarkey.notesvault;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.event.EventListener;
+import org.springframework.boot.context.event.ApplicationReadyEvent;
+import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
+
+/**
+ * Root Spring Boot application class. Enables JPA auditing so that {@code @CreatedDate}
+ * and {@code @LastModifiedDate} annotations on entities are populated automatically.
+ */
+@SpringBootApplication
+@EnableJpaAuditing
+public class NotesVaultApplication {
+
+    private static final Logger log = LoggerFactory.getLogger(NotesVaultApplication.class);
+    private static final String INSECURE_DEFAULT = "dev-secret-change-me-do-not-use-in-production";
+
+    @Value("${app.jwt.secret}")
+    private String jwtSecret;
+
+    /**
+     * Application entry point. Delegates to Spring Boot to bootstrap the context.
+     *
+     * @param args command-line arguments passed to the JVM
+     */
+    public static void main(String[] args) {
+        SpringApplication.run(NotesVaultApplication.class, args);
+    }
+
+    /**
+     * Fires after the application context is fully started. Logs a WARN-level message if
+     * the JWT secret has not been overridden from the insecure development default, so that
+     * operators are alerted before the application is exposed to traffic.
+     */
+    @EventListener(ApplicationReadyEvent.class)
+    public void warnIfInsecureSecret() {
+        if (INSECURE_DEFAULT.equals(jwtSecret)) {
+            log.warn("SECURITY WARNING: JWT_SECRET is using the insecure default — do not use in production");
+        }
+    }
+}