security: remove hardcoded secrets, require env vars

Remove hardcoded encryption fallback and Postgres password defaults
flagged by GitGuardian. ENCRYPTION_SECRET and DATABASE_URL are now
required env vars that throw on missing rather than falling back to
insecure defaults.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/community-store.ts

@@ -904,7 +904,10 @@ export function setEncryption(
  * For now, uses a deterministic HMAC-based key from a server secret.
  */
 async function deriveSpaceKey(keyId: string): Promise<CryptoKey> {
-	const serverSecret = process.env.ENCRYPTION_SECRET || 'REDACTED_ENCRYPTION_FALLBACK';
+	const serverSecret = process.env.ENCRYPTION_SECRET;
+	if (!serverSecret) {
+		throw new Error('ENCRYPTION_SECRET environment variable is required');
+	}
 	const encoder = new TextEncoder();
 	const keyMaterial = await crypto.subtle.importKey(
 		'raw',

server/local-first/migration/dry-run.ts

@@ -20,8 +20,10 @@ import {
   type MigrationResult,
 } from './pg-to-automerge';
 
-const DATABASE_URL =
+const DATABASE_URL = process.env.DATABASE_URL;
-  process.env.DATABASE_URL || 'postgres://rspace:REDACTED@rspace-db:5432/rspace';
+if (!DATABASE_URL) {
+  throw new Error('DATABASE_URL environment variable is required');
+}
 
 const sql = postgres(DATABASE_URL, { max: 5, idle_timeout: 10 });
 

server/local-first/migration/run-migration.ts

@@ -19,8 +19,10 @@ import {
 import { syncServer } from '../../sync-instance';
 import { loadAllDocs, docIdToPath } from '../doc-persistence';
 
-const DATABASE_URL =
+const DATABASE_URL = process.env.DATABASE_URL;
-  process.env.DATABASE_URL || 'postgres://rspace:REDACTED@rspace-db:5432/rspace';
+if (!DATABASE_URL) {
+  throw new Error('DATABASE_URL environment variable is required');
+}
 
 const sql = postgres(DATABASE_URL, { max: 5, idle_timeout: 10 });
 

shared/db/pool.ts

@@ -7,8 +7,10 @@
 
 import postgres from "postgres";
 
-const DATABASE_URL =
+const DATABASE_URL = process.env.DATABASE_URL;
-	process.env.DATABASE_URL || "postgres://rspace:REDACTED@rspace-db:5432/rspace";
+if (!DATABASE_URL) {
+	throw new Error("DATABASE_URL environment variable is required");
+}
 
 /** Global shared connection */
 export const sql = postgres(DATABASE_URL, {