Harden secrets handling: env-var DB password + defensive .gitignore

Move hardcoded 'rootpassword' default in parser/{config,backfill_changeover, clmparser,udcparser}.py behind os.environ.get('SHOPDB_DB_PASSWORD', 'rootpassword'). Add defensive patterns (.env, *.key, *.pem, id_rsa*, secrets.*, etc.) to .gitignore across all project repos. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-17 12:50:12 -04:00
parent 0f78f76410
commit ccd29d9e4b
5 changed files with 30 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,22 @@ ENV/
 # OS
 .DS_Store
 Thumbs.db
+
+# Secrets and credentials (defensive)
+.env
+.env.*
+!.env.example
+!.env.*.example
+*.pem
+*.key
+id_rsa
+id_rsa.*
+*.ppk
+*.p12
+*.pfx
+secrets.json
+secrets.yaml
+secrets.yml
+*_secret
+*_secrets
+credentials.json