Harden secrets handling: env-var DB password + defensive .gitignore

Move hardcoded 'rootpassword' default in parser/{config,backfill_changeover,
clmparser,udcparser}.py behind os.environ.get('SHOPDB_DB_PASSWORD',
'rootpassword'). Add defensive patterns (.env, *.key, *.pem, id_rsa*,
secrets.*, etc.) to .gitignore across all project repos.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

parser/config.py

@@ -1,6 +1,7 @@
 """
 UDC Parser Configuration
 """
+import os
 import platform
 
 # Detect OS
@@ -21,16 +22,16 @@ DB_CONFIG_DEV = {
     'host': '127.0.0.1',
     'port': 3306,
     'user': 'root',
-    'password': 'rootpassword',
+    'password': os.environ.get('SHOPDB_DB_PASSWORD', 'rootpassword'),
     'database': 'shopdb'
 }
 
 # Database - Production (update these values)
 DB_CONFIG_PROD = {
-    'host': 'PROD_MYSQL_HOST',  # TODO: Update with production host
+    'host': os.environ.get('SHOPDB_DB_HOST', 'PROD_MYSQL_HOST'),
     'port': 3306,
-    'user': 'PROD_USER',        # TODO: Update with production user
-    'password': 'PROD_PASSWORD', # TODO: Update with production password
+    'user': os.environ.get('SHOPDB_DB_USER', 'PROD_USER'),
+    'password': os.environ.get('SHOPDB_DB_PASSWORD', 'PROD_PASSWORD'),
     'database': 'shopdb'
 }