chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements

- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration - Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage - Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
2026-03-03 10:33:46 +01:00
parent 00d00cb964
commit f353e00172
220 changed files with 42506 additions and 921 deletions
--- a/infra/helm/charts/coordinator/values.yaml
+++ b/infra/helm/charts/coordinator/values.yaml
@@ -109,18 +109,19 @@ affinity: {}
 # Configuration
 config:
  appEnv: production
-  databaseUrl: "postgresql://aitbc:password@postgresql:5432/aitbc"
-  receiptSigningKeyHex: ""
-  receiptAttestationKeyHex: ""
+  databaseUrl: secretRef:db-credentials:url
+  receiptSigningKeyHex: secretRef:security-keys:receipt-signing
+  receiptAttestationKeyHex: secretRef:security-keys:receipt-attestation
  allowOrigins: "*"

 # PostgreSQL sub-chart configuration
 postgresql:
  enabled: true
  auth:
-    postgresPassword: "password"
+    postgresPassword: secretRef:db-credentials:password
    username: aitbc
    database: aitbc
+    existingSecret: db-credentials
  primary:
    persistence:
      enabled: true
--- a/infra/helm/values/dev/values.yaml
+++ b/infra/helm/values/dev/values.yaml
@@ -25,7 +25,7 @@ coordinator:
    port: 8001
  env:
    LOG_LEVEL: debug
-    DATABASE_URL: postgresql://aitbc:dev@postgres:5432/coordinator
+    DATABASE_URL: secretRef:db-credentials:url
  autoscaling:
    enabled: false

@@ -88,8 +88,9 @@ postgresql:
  enabled: true
  auth:
    username: aitbc
-    password: dev
+    password: secretRef:db-credentials:password
    database: coordinator
+    existingSecret: db-credentials
  primary:
    resources:
      requests: