[SECURITY] Missing secrets management best practices - risk of credential exposure

[Arijit429]

Problem

The application currently lacks proper secrets management infrastructure, creating security risks:

1. No .env.example template — developers don't know which env vars are required
2. Secrets in logs — LLM API keys and DB credentials may leak in error traces
3. No secrets rotation docs — unclear how to rotate keys in production
4. Git risk — developers might accidentally commit .env files

For CAL FIRE deployment, this is critical because:

• Incident data is sensitive (personnel, locations, operations)
• API keys must be rotated regularly per federal compliance
• Production secrets leakage could expose entire system

Current State

• .env is gitignored, but no template exists
• No validation that secrets aren't logged
• No documentation on secrets rotation
• Logs in feat: harden global exception handlers — prevent traceback leakage and unify error responses #434 may still contain sensitive data

Proposed Solution

1. Add .env.example template

# Database
DATABASE_URL=postgresql://user:pass@localhost/fireform

# LLM Service  
LLM_API_KEY=your_api_key_here
LLM_TIMEOUT=30

# Application
SECRET_KEY=your_secret_key_here
TEMPLATE_DIR=./templates

2. Add secrets sanitization in logging

# Redact common secret patterns in logs
REDACT_PATTERNS = [
    r'(api[_-]?key["\s:=]+)([a-zA-Z0-9-_]+)',
    r'(password["\s:=]+)([^\s"]+)',
    r'(token["\s:=]+)([a-zA-Z0-9-_.]+)'
]

3. Add secrets rotation documentation

• How to rotate DB credentials
• How to rotate LLM API keys
• Zero-downtime rotation strategy

4. Add pre-commit hook template (optional)

Suggest git hook to prevent .env commits

Impact

• Security: Prevents credential leakage
• Developer Experience: Clear onboarding for new developers
• Compliance: Aligns with federal security standards
• Production-ready: Necessary for CAL FIRE pilot deployment

References

• OWASP: Sensitive Data Exposure
• NIST SP 800-53: Access Control (AC-2)

[Arijit429]

Hello @juanalvv
I have covered the documentation in my pr #466 targeting this issue.
Happy to recieve any further updates or guidance from your side