Update env example with full Jira scopes and add source code link to privacy page

- Added all required Jira OAuth scopes to .env.example
- Added NATS_TOKEN and JIRA_MOCK_FALLBACK to .env.example
- Added open source section to privacy policy linking to the repo

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/.env.example

@@ -1,11 +1,15 @@
 PORT=4010
 FRONTEND_URL=http://localhost:5174
 NATS_URL=nats://localhost:4222
+# NATS_TOKEN=          # optional, if your NATS server requires auth
 
 # Jira OAuth (Atlassian 3LO)
 JIRA_CLIENT_ID=
 JIRA_CLIENT_SECRET=
 JIRA_OAUTH_REDIRECT_URI=http://localhost:4010/api/jira/oauth/callback
-JIRA_SCOPES="offline_access read:jira-work write:jira-work read:me"
+JIRA_SCOPES="offline_access read:jira-work write:jira-work read:me read:project:jira read:issue:jira read:board-scope:jira-software read:board-scope.admin:jira-software read:sprint:jira-software read:issue-details:jira write:issue:jira-software read:jql:jira read:source-code:jira-software"
+
 JWT_SECRET=change-me-to-a-random-secret
+
+# Set to true to use mock Jira data (no real Jira connection needed)
 JIRA_MOCK_FALLBACK=true

frontend/src/components/LegalPage.jsx

@@ -199,6 +199,20 @@ function PrivacyPolicy({ dark }) {
         Revoking the Pokerface OAuth connection in your Atlassian account settings will
         invalidate all stored tokens.
       </P>
+
+      <SubHeading dark={dark}>8. Open Source</SubHeading>
+      <P dark={dark}>
+        Pokerface is open source. If you want to verify how your data is handled, you can
+        review the full source code at{' '}
+        <a
+          href="https://git.faralmail.com/faral/pokerface"
+          target="_blank"
+          rel="noopener noreferrer"
+          style={{ color: dark ? '#60a5fa' : '#2563eb', textDecoration: 'underline' }}
+        >
+          git.faralmail.com/faral/pokerface
+        </a>.
+      </P>
     </>
   );
 }