Security: Replace predictable dev secrets in backend/.env.example with CHANGE_ME_* placeholders

[Copilot]

backend/.env.example contained hardcoded predictable secrets (datacendia_secure_2024, datacendia_redis_2024, etc.) that developers could copy verbatim into production environments.

Changes

• backend/.env.example — Replace 5 predictable secret values with CHANGE_ME_* placeholders:

-DATABASE_URL=******localhost:5433/datacendia
+DATABASE_URL=******localhost:5433/datacendia

-REDIS_URL=redis://:datacendia_redis_2024@localhost:6380
+REDIS_URL=redis://:CHANGE_ME_REDIS_PASSWORD@localhost:6380

-NEO4J_PASSWORD=datacendia_graph_2024
+NEO4J_PASSWORD=CHANGE_ME_NEO4J_PASSWORD

 # JWT Secrets (generate strong random strings in production)
+# Generate with: openssl rand -base64 64
-JWT_SECRET=datacendia-jwt-secret-change-in-production-2024
+JWT_SECRET=CHANGE_ME_GENERATE_A_SECURE_64_CHAR_SECRET
-JWT_REFRESH_SECRET=datacendia-refresh-secret-change-in-production-2024
+JWT_REFRESH_SECRET=CHANGE_ME_GENERATE_ANOTHER_SECURE_SECRET

• Adds openssl rand -base64 64 generation hint comment alongside JWT secrets to guide developers toward cryptographically secure values.

Original prompt

This PR addresses a security finding from a cross-repo security audit for the datacendia-core open-source repository.

Problem

The backend/.env.example file contains predictable development secrets that developers may copy directly into production environments. The current values are:

• Line 14: DATABASE_URL=postgresql://datacendia:datacendia_secure_2024@localhost:5433/datacendia
• Line 18: REDIS_URL=redis://:datacendia_redis_2024@localhost:6380
• Line 23: NEO4J_PASSWORD=datacendia_graph_2024
• Line 35: JWT_SECRET=datacendia-jwt-secret-change-in-production-2024
• Line 36: JWT_REFRESH_SECRET=datacendia-refresh-secret-change-in-production-2024

Changes Required

In backend/.env.example, replace the predictable development secrets with CHANGE_ME_* placeholder values:

1. Line 14: Change the DATABASE_URL password from datacendia_secure_2024 to CHANGE_ME_DB_PASSWORD. The full value should become:
   DATABASE_URL=postgresql://datacendia:CHANGE_ME_DB_PASSWORD@localhost:5433/datacendia

2. Line 18: Change the REDIS_URL password from datacendia_redis_2024 to CHANGE_ME_REDIS_PASSWORD. The full value should become:
   REDIS_URL=redis://:CHANGE_ME_REDIS_PASSWORD@localhost:6380

3. Line 23: Change NEO4J_PASSWORD=datacendia_graph_2024 to:
   NEO4J_PASSWORD=CHANGE_ME_NEO4J_PASSWORD

4. Line 35: Change JWT_SECRET=datacendia-jwt-secret-change-in-production-2024 to:
   JWT_SECRET=CHANGE_ME_GENERATE_A_SECURE_64_CHAR_SECRET

5. Line 36: Change JWT_REFRESH_SECRET=datacendia-refresh-secret-change-in-production-2024 to:
   JWT_REFRESH_SECRET=CHANGE_ME_GENERATE_ANOTHER_SECURE_SECRET

Also add a comment near the JWT secrets section recommending how to generate secure values:

# Generate with: openssl rand -base64 64

Do NOT modify any other files. Only change backend/.env.example.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Reveiw the security of all repos

Assistant:

I'll review the security of all repositories under the datacendia organization/user. Let me start by gathering information about the repos and their security configurations.

Assistant: Now let me check security-related configurations for each repo — Dependabot alerts, branch protection, security policies, etc.

Assistant: Now let me check for additional security-relevant files like .env examples, Docker configs, workflow files, and dependency files across the repos.

Assistant: Now let me check the remaining repos for CI/security workflows and .env files:

Assistant: Here is a comprehensive security review of all 4 Datacendia repositories.

---

🛡️ Security Review — All Datacendia Repos

Repository Inventory

Repo	Visibility	Language	Default Branch	License
datacendia-core	Public	TypeScript	master	Apache 2.0
datacendia-components	Private	TypeScript	main	Other
datacendia-marketing	Public	JavaScript	master	Other
decision-governance-infrastructure	Public	—	main	Other

---

1. Security Policy (SECURITY.md)

Repo	Has SECURITY.md	Disclosure Contact	SLA Defined
datacendia-core	✅	security@datacendia.com	✅ (48h ack, 90-day fix)
datacendia-components	✅	security@datacendia.com	✅ (24-48h ack, severity-based)
datacendia-marketing	❌	—	❌
decision-governance-infrastructure	❌	—	❌

⚠️ Finding: datacendia-marketing and decision-governance-infrastructure have no SECURITY.md. Both are public repos — anyone discovering a vulnerability has no reporting channel.

---

2. Dependency Management (Dependabot)

Repo	Has dependabot.yml	Ecosystems Covered
datacendia-core	✅	npm (root + backend), GitHub Actions, Docker
datacendia-components	✅	npm (root + backend), GitHub Actions, Docker
datacendia-marketing	❌	—
decision-governance-infrastructure	❌	—

⚠️ Finding: Two public repos (datacendia-marketing, decision-governance-infrastructure) have no automated dependency updates. The marketing site uses JavaScript and is publicly accessible — outdated dependencies could be exploited.

---

3. CI/CD Security Workflows

Repo	CI Pipeline	Security Workflow	CodeQL SAST	Secret Scanning (TruffleHog)	Dependency Audit
datacendia-core	✅ ci.yml	✅ security.yml	✅	✅	✅
datacendia-components	✅ (multiple)	✅	✅	✅	✅
datacendia-marketing	❌	❌	❌	❌	❌
decision-governance-infrastructure	❌	❌	❌	❌	❌

🔴 Critical Finding: datacendia-marketing and `decision-governa...

This pull request was created from Copilot chat.