chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements

- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration - Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage - Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
2026-03-03 10:33:46 +01:00
parent 00d00cb964
commit f353e00172
220 changed files with 42506 additions and 921 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,28 +1,63 @@
 # AITBC Environment Configuration
-# Copy this file to .env and fill in your values
+# SECURITY NOTICE: Use service-specific environment files
+# 
+# For development, copy from:
+#   config/environments/development/coordinator.env
+#   config/environments/development/wallet-daemon.env
 #
-# Requirements:
-# - Python 3.11 or later
-# - SQLite or PostgreSQL database
-# - Bitcoin node (for wallet integration)
+# For production, use AWS Secrets Manager and Kubernetes secrets
+# Templates available in config/environments/production/

-# Coordinator API
-APP_ENV=dev
-DATABASE_URL=sqlite:///./data/coordinator.db
-ADMIN_API_KEYS=["your-admin-key"]
-CLIENT_API_KEYS=["your-client-key"]
-MINER_API_KEYS=["your-miner-key"]
-HMAC_SECRET=your-hmac-secret
-RECEIPT_SIGNING_KEY_HEX=
-RECEIPT_ATTESTATION_KEY_HEX=
+# =============================================================================
+# BASIC CONFIGURATION ONLY
+# =============================================================================
+# Application Environment
+APP_ENV=development
+DEBUG=false
+LOG_LEVEL=INFO

-# PostgreSQL (if using PostgreSQL instead of SQLite)
-# DATABASE_URL=postgresql://user:password@localhost:5432/aitbc_coordinator
-JWT_SECRET=change-me-in-production
+# =============================================================================
+# SECURITY REQUIREMENTS
+# =============================================================================
+# IMPORTANT: Do NOT store actual secrets in this file
+# Use AWS Secrets Manager for production
+# Generate secure keys with: openssl rand -hex 32

-# Bitcoin Wallet Integration
-BITCOIN_RPC_URL=http://127.0.0.1:18332
-BITCOIN_RPC_USER=aitbc_rpc
-BITCOIN_RPC_PASSWORD=
-BITCOIN_WALLET_NAME=aitbc_exchange
-BITCOIN_FALLBACK_ADDRESS=tb1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
+# =============================================================================
+# SERVICE CONFIGURATION
+# =============================================================================
+# Choose your service configuration:
+# 1. Copy service-specific .env file from config/environments/
+# 2. Fill in actual values (NEVER commit secrets)
+# 3. Run: python config/security/environment-audit.py
+
+# =============================================================================
+# DEVELOPMENT QUICK START
+# =============================================================================
+# For quick development setup:
+# cp config/environments/development/coordinator.env .env
+# cp config/environments/development/wallet-daemon.env .env.wallet
+#
+# Then edit the copied files with your values
+
+# =============================================================================
+# PRODUCTION DEPLOYMENT
+# =============================================================================
+# For production deployment:
+# 1. Use AWS Secrets Manager for all sensitive values
+# 2. Reference secrets as: secretRef:secret-name:key
+# 3. Run security audit before deployment
+# 4. Use templates in config/environments/production/
+
+# =============================================================================
+# SECURITY VALIDATION
+# =============================================================================
+# Validate your configuration:
+# python config/security/environment-audit.py --format text
+
+# =============================================================================
+# FOR MORE INFORMATION
+# =============================================================================
+# See: config/security/secret-validation.yaml
+# See: config/security/environment-audit.py
+# See: config/environments/ directory