chore(secrets): remove all hardcoded secrets from HEAD

Replace leaked passwords and AWS access key ID with placeholders / env-var
references across k8s overlays, docs, tests, CI workflow, and docker-compose.
Delete generated interweb-*.yaml manifests that embedded full credentials.
Add .env.example and k8s/SECRET-EXPOSURE-AUDIT.md documenting the cleanup.

Companion to a follow-up history rewrite that scrubs the same values from
all reachable commits.

Author: Anmol1696

.env.example

@@ -0,0 +1,22 @@
+# Copy this file to .env and fill in real values.
+# .env is gitignored and must never be committed.
+
+# PostgreSQL superuser password used by docker-compose and local k8s overlays.
+# Choose a strong unique value per environment.
+POSTGRES_PASSWORD=changeme-set-a-strong-password
+
+# pgAdmin login password (only used by k8s overlays that deploy pgAdmin).
+PGADMIN_DEFAULT_PASSWORD=changeme-set-a-strong-password
+
+# MinIO root credentials (S3-compatible local storage).
+MINIO_ROOT_USER=changeme-set-a-username
+MINIO_ROOT_PASSWORD=changeme-set-a-strong-password
+
+# Mailgun (only required if EMAIL_SEND_USE_SMTP is false in dev).
+MAILGUN_API_KEY=
+MAILGUN_KEY=
+MAILGUN_DOMAIN=
+
+# AWS Route53 access key ID for cert-manager DNS01 challenges (per-environment).
+ROUTE53_ACCESS_KEY_ID=
+ROUTE53_HOSTED_ZONE_ID=

.github/workflows/test-k8s-deployment.yaml

@@ -121,6 +121,18 @@ jobs:
             echo "GHCR_USERNAME/GHCR_TOKEN not set; assuming images are public."
           fi
 
+      - name: Generate per-run postgres password
+        # k8s overlay secrets use REPLACE_WITH_POSTGRES_PASSWORD placeholders; substitute
+        # a fresh per-run value before Skaffold applies them so deploys + e2e share it.
+        run: |
+          PG_PASSWORD=$(openssl rand -base64 24 | tr -d '/+=' | cut -c1-24)
+          echo "PG_PASSWORD=$PG_PASSWORD" >> "$GITHUB_ENV"
+          echo "::add-mask::$PG_PASSWORD"
+          # Substitute into all kustomize secret files for the local-simple overlay.
+          find k8s/overlays/local-simple -type f \( -name '*.yaml' -o -name '*.yml' \) \
+            -exec sed -i.bak "s|REPLACE_WITH_POSTGRES_PASSWORD|${PG_PASSWORD}|g" {} \;
+          find k8s/overlays/local-simple -name '*.bak' -delete
+
       - name: Deploy with Skaffold (per-function profile)
         run: skaffold run -p ${{ matrix.name }}
 
@@ -149,7 +161,7 @@ jobs:
           PGHOST: localhost
           PGPORT: "5432"
           PGUSER: postgres
-          PGPASSWORD: "postgres123!"
+          PGPASSWORD: ${{ env.PG_PASSWORD }}
           PGDATABASE: constructive
         run: |
           kubectl port-forward -n constructive-functions svc/postgres 5432:5432 &

.gitignore

@@ -140,3 +140,7 @@ vite.config.ts.timestamp-*
 
 # Generated function workspace packages (created by scripts/generate.ts)
 generated/
+
+# Rendered Kubernetes manifests may include Secret objects. Regenerate locally
+# with k8s/Makefile targets instead of committing them.
+k8s/manifests/*.yaml

CLAUDE.md

@@ -40,11 +40,11 @@ pnpm test:integration  # tests/integration/ — isolated component tests
 Requires Skaffold running (`make skaffold-dev`) or equivalent with port-forwards active.
 
 ```bash
-# With default credentials (postgres/postgres123! on localhost:5432)
+# With default credentials (postgres/$POSTGRES_PASSWORD on localhost:5432)
 pnpm test:e2e
 
 # With explicit env vars
-PGHOST=localhost PGPORT=5432 PGUSER=postgres PGPASSWORD='postgres123!' PGDATABASE=constructive pnpm test:e2e
+PGHOST=localhost PGPORT=5432 PGUSER=postgres PGPASSWORD='$POSTGRES_PASSWORD' PGDATABASE=constructive pnpm test:e2e
 ```
 
 E2E tests insert jobs into `app_jobs.jobs` via SQL and verify the job service picks them up and the functions process them.

DEVELOPMENT.md

@@ -327,7 +327,7 @@ pnpm test:e2e
 With explicit env vars:
 
 ```bash
-PGHOST=localhost PGPORT=5432 PGUSER=postgres PGPASSWORD='postgres123!' PGDATABASE=constructive pnpm test:e2e
+PGHOST=localhost PGPORT=5432 PGUSER=postgres PGPASSWORD="$POSTGRES_PASSWORD" PGDATABASE=constructive pnpm test:e2e
 ```
 
 ### What's tested

docker-compose.yml

@@ -14,7 +14,7 @@ services:
     environment:
       POSTGRES_DB: constructive
       POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: password
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set (see .env.example)}
     ports:
       - "5432:5432"
     volumes:
@@ -34,7 +34,7 @@ services:
       PGHOST: postgres
       PGPORT: "5432"
       PGUSER: postgres
-      PGPASSWORD: password
+      PGPASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set (see .env.example)}
       PGDATABASE: constructive
     entrypoint: ["bash", "-c"]
     command:
@@ -75,7 +75,7 @@ services:
       PGHOST: postgres
       PGPORT: "5432"
       PGUSER: postgres
-      PGPASSWORD: password
+      PGPASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set (see .env.example)}
       PGDATABASE: constructive
       # API configuration — header-based routing (X-Api-Name, X-Database-Id)
       API_ENABLE_SERVICES: "true"

docs/skills/local-dev-skaffold.md

@@ -215,7 +215,7 @@ To reproduce the CI e2e matrix locally:
 make skaffold-dev
 
 # 2. In another terminal, run a specific function's e2e test
-PGHOST=localhost PGPORT=5432 PGUSER=postgres PGPASSWORD='postgres123!' PGDATABASE=constructive \
+PGHOST=localhost PGPORT=5432 PGUSER=postgres PGPASSWORD="$POSTGRES_PASSWORD" PGDATABASE=constructive \
   pnpm jest tests/e2e/__tests__/simple-email.e2e.test.ts tests/e2e/__tests__/job-queue.test.ts
 
 # Or run all e2e tests

k8s/ARCHITECTURE.md

@@ -44,7 +44,8 @@ This is what `make skaffold-dev` deploys.
   - PgBouncer `Pooler postgres-pooler` for read‑write connections.
 - Access pattern:
   - Applications connect via `postgres-cluster-rw.postgres-db.svc.cluster.local:5432` (dev/staging) or `postgres` (local / local-simple overlays).
-  - Credentials are provided via `base/cnpg/secret.yaml` and `base/constructive/pg-secret.yaml` (or per-overlay `pg-secret.yaml` for local).
+  - Credentials are referenced by Secret name and must be created out-of-band
+    with a secret manager, ExternalSecrets, SOPS, or `kubectl create secret`.
 
 ### Observations
 

k8s/Makefile

@@ -59,7 +59,8 @@ kustomize-staging:
 	$(KUBECTL) apply -n $(CONSTRUCTIVE_NS) -k $(K8S_DIR)/overlays/staging
 
 # Render overlays to single YAML files (no apply).
-# Rendered manifests go under k8s/manifests to keep the k8s root clean.
+# Rendered manifests go under k8s/manifests, which is gitignored because
+# rendered output may contain Secret objects.
 MANIFESTS_DIR ?= $(K8S_DIR)/manifests
 
 render-dev:
@@ -146,9 +147,9 @@ proxy-stop:
 
 ######## Helper commands ########
 
-ZONE_ID=Z00381072B5MMXZMWY1JN  # launchql.dev
-LB_IP=34.55.147.174  # Server Load Balancer IP of GCP
-AWS_PROFILE=webinc
+ZONE_ID ?= REPLACE_WITH_ROUTE53_ZONE_ID
+LB_IP ?= REPLACE_WITH_LOAD_BALANCER_IP
+AWS_PROFILE ?= default
 
 aws-route53:
 	aws route53 change-resource-record-sets \

k8s/README.md

@@ -56,4 +56,5 @@ If pods show `ImagePullBackOff`, this secret is missing or the PAT has expired.
 ## Notes
 
 - Function deployments are not in the `local-simple` overlay — Skaffold consumes the per-function manifests generated under `generated/<name>/k8s/` directly. Run `pnpm generate` after editing any `handler.json`.
-- Secrets in `base/` (Postgres, Mailgun, server bucket) are development defaults; replace them via your secret manager before any non-local use.
+- Rendered manifests in `k8s/manifests/*.yaml` are gitignored because Kustomize output can include Kubernetes `Secret` objects. Regenerate them locally with `make render-*` when needed.
+- Tracked Secret manifests use explicit placeholder values only (e.g. `REPLACE_WITH_POSTGRES_PASSWORD`). Create real secrets through your secret manager, ExternalSecrets, SOPS, or `kubectl create secret`; do not commit rendered or environment-specific secret values.