Security Vulnerability: Hardcoded Database Credentials in Repository - CWE-798

[overcut-ai]

Security Vulnerability: Hardcoded Database Credentials in Repository - CWE-798

Overview

This PR remediates CWE-798 by implementing the approved secure-secrets design to ensure database credentials are never stored in source control and all services rely on validated runtime configuration.

Issue: #215

Implementation Summary

Phase 1: Clean Up Repository Secrets

• Removed the committed .env, expanded .gitignore, and added apps/hotel-management-service-server/.env.example with placeholders so secrets are never stored in git.
• Commit: 4a4fb64

Phase 2: Harden Configuration Loading & Validation

• Added app.config.ts, wired ConfigModule with Joi validation, and removed unsafe default fallbacks so the service only uses explicitly supplied secrets.
• Commit: db9dc81

Phase 3: Secrets Manager Override Support

• Implemented provider-agnostic SecretsManagerService, added AWS/GCP SDK integrations, and introduced bootstrapSecrets so remote secrets hydrate process.env prior to Nest boot.
• Commit: 0ce6267

Phase 4: Secure Local & Containerized Development Flow

• Updated Docker Compose and dev workflows to rely on .env.local/runtime env vars, ensuring containers never bake in secrets from the deleted .env file.
• Commit: 1b08156

Phase 5: Secret Rotation & Operational Follow-Up

• Added scripts/rotate-secrets.ts, extended secret service update flows, and introduced an npm script to streamline immediate credential rotation.
• Commit: 3692e5c

Testing Commit

• Added Jest coverage for Joi validation, SecretsManagerService (AWS, GCP, env providers), bootstrap hydration, and the rotation CLI.
• Commit: 5486315

Validation Commit

• Ran ESLint + Prettier, fixed style violations, and ensured the repo adheres to formatting rules.
• Commit: a692fd9

Testing

• ✅ Comprehensive tests written for all new functionality
• ✅ All tests passing (npm test)
• ✅ Test coverage meets project standards (Secrets Manager, config bootstrap, rotation CLI)

Validation

• ✅ Lint checks passed (ESLint)
• ✅ Format checks passed (Prettier)
• ✅ Code quality verified

Files Changed

• Total Commits: 7
• Implementation Commits: 5
• Test Commit: 1
• Validation Commit: 1

Review Notes

• Secrets are now expected via environment variables or configured vault providers; ensure SECRETS_MANAGER_PROVIDER is set appropriately in each environment.
• Run npm run rotate-secrets after deploying to rotate credentials and push values to the active secrets manager.

---

Implementation complete and ready for review.

[overcut-ai]

🔧 Implementation Progress

Implementing the following phases:

• [PHASE-1] Clean Up Repository Secrets (4a4fb64)
• [PHASE-2] Harden Configuration Loading & Validation (db9dc81)
• [PHASE-3] Secrets Manager Override Support (0ce6267)
• [PHASE-4] Secure Local & Containerized Development Flow (1b08156)
• [PHASE-5] Secret Rotation & Operational Follow-Up (Code Only Where Needed) (3692e5c)

---

All phases completed.