fix: move hardcoded postgres credentials to .env, annotate secrets

2 files changed, 22 insertions, 14 deletions

diff --git a/.env.example b/.env.example
index bdc6a67..2cc65da 100644
--- a/.env.example
+++ b/.env.example
@@ -1,11 +1,23 @@
-# Alpaca API (get keys from https://app.alpaca.markets)
+# === SECRETS (keep secure, do not commit .env) ===
 ALPACA_API_KEY=
 ALPACA_API_SECRET=
-ALPACA_PAPER=true
-
-REDIS_URL=redis://localhost:6379
+POSTGRES_USER=trading
+POSTGRES_PASSWORD=trading
 DATABASE_URL=postgresql+asyncpg://trading:trading@localhost:5432/trading
+REDIS_URL=redis://localhost:6379
+TELEGRAM_BOT_TOKEN=
+FINNHUB_API_KEY=
+ANTHROPIC_API_KEY=
+API_AUTH_TOKEN=
+METRICS_AUTH_TOKEN=
+
+# === CONFIGURATION ===
+ALPACA_PAPER=true
+DRY_RUN=true
+POSTGRES_DB=trading
 LOG_LEVEL=INFO
+LOG_FORMAT=json
+HEALTH_PORT=8080
 RISK_MAX_POSITION_SIZE=0.1
 RISK_STOP_LOSS_PCT=5
 RISK_DAILY_LOSS_LIMIT_PCT=10
@@ -13,16 +25,10 @@ RISK_TRAILING_STOP_PCT=0
 RISK_MAX_OPEN_POSITIONS=10
 RISK_VOLATILITY_LOOKBACK=20
 RISK_VOLATILITY_SCALE=false
-DRY_RUN=true
-TELEGRAM_BOT_TOKEN=
 TELEGRAM_CHAT_ID=
 TELEGRAM_ENABLED=false
-LOG_FORMAT=json
-HEALTH_PORT=8080
-METRICS_AUTH_TOKEN=
 
 # News Collector
-FINNHUB_API_KEY=
 NEWS_POLL_INTERVAL=300
 SENTIMENT_AGGREGATE_INTERVAL=900
 
@@ -31,5 +37,7 @@ SELECTOR_FINAL_TIME=15:30
 SELECTOR_MAX_PICKS=3
 
 # LLM (for stock selector)
-ANTHROPIC_API_KEY=
 ANTHROPIC_MODEL=claude-sonnet-4-20250514
+
+# === API SECURITY ===
+CORS_ORIGINS=http://localhost:3000
diff --git a/docker-compose.yml b/docker-compose.yml
index 63630ff..bf0fa6e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,9 +16,9 @@ services:
     ports:
       - "5432:5432"
     environment:
-      POSTGRES_USER: trading
-      POSTGRES_PASSWORD: trading
-      POSTGRES_DB: trading
+      POSTGRES_USER: ${POSTGRES_USER:-trading}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-trading}
+      POSTGRES_DB: ${POSTGRES_DB:-trading}
     volumes:
       - postgres_data:/var/lib/postgresql/data
     healthcheck: