Security: hardcoded credentials in docker-compose and chat_share.py

[Coastalbee]

A few security issues worth addressing:

1. Hardcoded database password in compose files
server/docker-compose.dev.yml and server/docker-compose.yml both contain a literal POSTGRES_PASSWORD value. This should use environment variable substitution (${POSTGRES_PASSWORD}) with the value stored in a gitignored .env file, following the same pattern as many other services in the stack.

2. Hardcoded fallback key in chat_share.py
server/app/model/chat/chat_share.py uses os.getenv("CHAT_SHARE_SECRET_KEY", "EGB1WRC9xMUVgNoIPH8tLw"). The hardcoded fallback means any deployment that omits the env var silently uses a public, known key for token signing. The fallback should be removed so the app fails loudly if the secret is not configured.

3. .env not in server/.gitignore
server/.gitignore does not include .env, which means contributor credentials could be accidentally staged and committed. .env should be explicitly ignored.

Recommended fixes:

• Add .env and alembic.ini to server/.gitignore
• Replace hardcoded passwords in compose files with ${POSTGRES_PASSWORD} (sourced from a gitignored .env)
• Remove the hardcoded fallback from chat_share.py and require CHAT_SHARE_SECRET_KEY to be explicitly set
• Update .env.example with CHANGE_ME placeholders so new contributors know to generate their own secrets

[4pmtong]

@Coastalbee Thanks for raising this.

The chat_share.py fallback secret has already been fixed. The Docker Compose credentials are still intentional defaults for the local quick-start flow, and in the current setup they are not overridden by .env.

We’ll keep this issue open as a follow-up item to improve the setup and make the deployment/security expectations clearer.