Security: replace predictable dev secrets in backend/.env.example with CHANGE_ME_* placeholders

[Copilot]

backend/.env.example contained predictable hardcoded development secrets (e.g. datacendia_secure_2024, datacendia-jwt-secret-change-in-production-2024) that developers could copy verbatim into production environments.

Changes

• backend/.env.example — replaced 5 secret values with explicit CHANGE_ME_* placeholders:

Variable	Old value	New placeholder
DATABASE_URL password	datacendia_secure_2024	CHANGE_ME_POSTGRES_PASSWORD
REDIS_URL password	datacendia_redis_2024	CHANGE_ME_REDIS_PASSWORD
NEO4J_PASSWORD	datacendia_graph_2024	CHANGE_ME_USE_A_STRONG_PASSWORD
JWT_SECRET	datacendia-jwt-secret-change-in-production-2024	CHANGE_ME_GENERATE_A_SECURE_64_CHAR_SECRET
JWT_REFRESH_SECRET	datacendia-refresh-secret-change-in-production-2024	CHANGE_ME_GENERATE_ANOTHER_SECURE_SECRET

• Added # Generate secure secrets with: openssl rand -base64 64 comment alongside the JWT variables.

Root .env.example already uses CHANGE_ME_* patterns and is unchanged.

Original prompt

This PR addresses a security audit finding: the backend/.env.example file contains predictable development secrets that developers may accidentally copy into production.

Changes Required

Rotate/randomize .env.example dev secrets in backend/.env.example

Replace these predictable development secrets with CHANGE_ME_* placeholder values:

Current → New:

1. Line containing DATABASE_URL=postgresql://datacendia:datacendia_secure_2024@localhost:5433/datacendia
   → Change to DATABASE_URL=postgresql://datacendia:CHANGE_ME_POSTGRES_PASSWORD@localhost:5433/datacendia

2. Line containing REDIS_URL=redis://:datacendia_redis_2024@localhost:6380
   → Change to REDIS_URL=redis://:CHANGE_ME_REDIS_PASSWORD@localhost:6380

3. Line containing NEO4J_PASSWORD=datacendia_graph_2024
   → Change to NEO4J_PASSWORD=CHANGE_ME_USE_A_STRONG_PASSWORD

4. Line containing JWT_SECRET=datacendia-jwt-secret-change-in-production-2024
   → Change to JWT_SECRET=CHANGE_ME_GENERATE_A_SECURE_64_CHAR_SECRET

5. Line containing JWT_REFRESH_SECRET=datacendia-refresh-secret-change-in-production-2024
   → Change to JWT_REFRESH_SECRET=CHANGE_ME_GENERATE_ANOTHER_SECURE_SECRET

Also add a comment near the JWT secrets section:

# Generate secure secrets with: openssl rand -base64 64

Important: Only modify backend/.env.example. The root .env.example already uses proper CHANGE_ME_* placeholders and does NOT need changes.

Do NOT change any other files. Only the backend/.env.example file needs updating.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Reveiw the security of all repos

Assistant:

I'll review the security of all repositories under the datacendia organization/user. Let me start by gathering information about the repos and their security configurations.

Assistant: Now let me check security-related configurations for each repo — Dependabot alerts, branch protection, security policies, etc.

Assistant: Now let me check for additional security-relevant files like .env examples, Docker configs, workflow files, and dependency files across the repos.

Assistant: Now let me check the remaining repos for CI/security workflows and .env files:

Assistant: Here is a comprehensive security review of all 4 Datacendia repositories.

---

🛡️ Security Review — All Datacendia Repos

Repository Inventory

Repo	Visibility	Language	Default Branch	License
datacendia-core	Public	TypeScript	master	Apache 2.0
datacendia-components	Private	TypeScript	main	Other
datacendia-marketing	Public	JavaScript	master	Other
decision-governance-infrastructure	Public	—	main	Other

---

1. Security Policy (SECURITY.md)

Repo	Has SECURITY.md	Disclosure Contact	SLA Defined
datacendia-core	✅	security@datacendia.com	✅ (48h ack, 90-day fix)
datacendia-components	✅	security@datacendia.com	✅ (24-48h ack, severity-based)
datacendia-marketing	❌	—	❌
decision-governance-infrastructure	❌	—	❌

⚠️ Finding: datacendia-marketing and decision-governance-infrastructure have no SECURITY.md. Both are public repos — anyone discovering a vulnerability has no reporting channel.

---

2. Dependency Management (Dependabot)

Repo	Has dependabot.yml	Ecosystems Covered
datacendia-core	✅	npm (root + backend), GitHub Actions, Docker
datacendia-components	✅	npm (root + backend), GitHub Actions, Docker
datacendia-marketing	❌	—
decision-governance-infrastructure	❌	—

⚠️ Finding: Two public repos (datacendia-marketing, decision-governance-infrastructure) have no automated dependency updates. The marketing site uses JavaScript and is publicly accessible — outdated dependencies could be exploited.

---

3. CI/CD Security Workflows

Repo	CI Pipeline	Security Workflow	CodeQL SAST	Secret Scanning (TruffleHog)	Dependency Audit
datacendia-core	✅ ci.yml	✅ security.yml	✅	✅	✅
datacendia-components	✅ (multiple)	✅	✅	✅	✅
datacendia-marketing	❌	❌	❌	❌	❌
decision-governance-infrastructure	❌	❌	❌	❌	❌

🔴 Critical Finding: datacendia-marketing and decision-governance-infrastructure have zero CI/CD pipelines — no automated testing, no security scanning, no code quality checks.

---

4. Branch Protection

I was unable to query branch protection rules via the API, but based on the codebase review:

• datacendia-core and datacendia-components have CODEOWN...

This pull request was created from Copilot chat.