security: remove hardcoded credentials, use env vars for Bitcoin RPC, PostgreSQL, and API keys

.env.example

@@ -0,0 +1,23 @@
+# AITBC Environment Configuration
+# Copy this file to .env and fill in your values
+
+# Coordinator API
+APP_ENV=dev
+DATABASE_URL=sqlite:///./coordinator.db
+ADMIN_API_KEYS=["your-admin-key"]
+CLIENT_API_KEYS=["your-client-key"]
+MINER_API_KEYS=["your-miner-key"]
+HMAC_SECRET=your-hmac-secret
+RECEIPT_SIGNING_KEY_HEX=
+RECEIPT_ATTESTATION_KEY_HEX=
+
+# PostgreSQL (if using PostgreSQL instead of SQLite)
+# DATABASE_URL=postgresql://user:password@localhost:5432/aitbc_coordinator
+JWT_SECRET=change-me-in-production
+
+# Bitcoin Wallet Integration
+BITCOIN_RPC_URL=http://127.0.0.1:18332
+BITCOIN_RPC_USER=aitbc_rpc
+BITCOIN_RPC_PASSWORD=
+BITCOIN_WALLET_NAME=aitbc_exchange
+BITCOIN_FALLBACK_ADDRESS=tb1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh

.gitignore

@@ -25,7 +25,8 @@ htmlcov/
 
 # Environment files
 *.env
-*.env.*
+.env.*
+!.env.example
 .env.local
 .env.*.local
 

apps/coordinator-api/src/app/config_pg.py

@@ -14,10 +14,10 @@ class Settings(BaseSettings):
     debug: bool = False
     
     # Database Configuration
-    database_url: str = "postgresql://aitbc_user:aitbc_password@localhost:5432/aitbc_coordinator"
+    database_url: str = "postgresql://localhost:5432/aitbc_coordinator"
     
     # JWT Configuration
-    jwt_secret: str = "your-secret-key-change-in-production"
+    jwt_secret: str = "change-me-in-production"
     jwt_algorithm: str = "HS256"
     jwt_expiration_hours: int = 24
     

apps/coordinator-api/src/app/services/bitcoin_wallet.py

@@ -12,15 +12,14 @@ from typing import Dict, Optional
 
 logger = logging.getLogger(__name__)
 
-# Bitcoin wallet configuration
+# Bitcoin wallet configuration (credentials from environment)
 WALLET_CONFIG = {
-    # For development, we'll use testnet
     'testnet': True,
-    'rpc_url': 'http://127.0.0.1:18332',  # Testnet RPC port
-    'rpc_user': 'aitbc_rpc',
-    'rpc_password': 'REDACTED_RPC_PASSWORD',
-    'wallet_name': 'aitbc_exchange',
-    'fallback_address': 'tb1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh'  # Testnet address
+    'rpc_url': os.environ.get('BITCOIN_RPC_URL', 'http://127.0.0.1:18332'),
+    'rpc_user': os.environ.get('BITCOIN_RPC_USER', 'aitbc_rpc'),
+    'rpc_password': os.environ.get('BITCOIN_RPC_PASSWORD', ''),
+    'wallet_name': os.environ.get('BITCOIN_WALLET_NAME', 'aitbc_exchange'),
+    'fallback_address': os.environ.get('BITCOIN_FALLBACK_ADDRESS', 'tb1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh'),
 }
 
 class BitcoinWallet:

apps/coordinator-api/src/app/services/blockchain.py

@@ -23,7 +23,7 @@ async def mint_tokens(address: str, amount: float) -> dict:
                 "address": address,
                 "amount": amount
             },
-            headers={"X-Api-Key": "REDACTED_ADMIN_KEY"}
+            headers={"X-Api-Key": settings.admin_api_keys[0] if settings.admin_api_keys else ""}
         )
         
         if response.status_code == 200:
@@ -39,7 +39,7 @@ def get_balance(address: str) -> Optional[float]:
         
         response = requests.get(
             f"{BLOCKCHAIN_RPC}/getBalance/{address}",
-            headers={"X-Api-Key": "REDACTED_ADMIN_KEY"}
+            headers={"X-Api-Key": settings.admin_api_keys[0] if settings.admin_api_keys else ""}
         )
         
         if response.status_code == 200: