Remove default/hardcoded secrets from repository #20
Description
Description:
Default credentials and placeholder secrets appear in committed files:
application.yml:spring.security.user.name: admin,password: admin;jwt.secretset to a placeholderdocker-compose.yml:SPRING_DATASOURCE_PASSWORD=password,POSTGRES_PASSWORD=password,JWT_SECRET=your-secret-key-here...env.example: same placeholder JWT secret and default DB passwords
These should not be usable as real secrets in any environment.
Acceptance criteria:
- No default or example passwords/secrets in
application.yml; use placeholders that fail fast if not overridden (e.g. env vars) -
docker-compose.ymluses env vars (e.g. from.env) for all secrets; document that default values are dev-only -
env.exampledocuments that all secrets must be changed; add warning in README