SEC-C-01 gap: Security engineer's Wave 1 fix replaced Neon credentials in
appsettings.json (19 files) but missed 4 appsettings.Development.json files
that still pointed to cloud infrastructure with production credentials.
Changes per service:
- iam-service-net: DB→localhost, Redis→localhost (removed Velik@2026),
Email SMTP→localhost:1025 (removed Mailgun password)
- membership-service-net: DB→localhost, Redis→localhost
- promotion-service-net: DB→localhost
- storage-service-net: DB→localhost, MinIO→localhost:9000 (removed Velik@2026),
Redis→localhost
All four files now point exclusively to local Docker Compose services
(postgres-local:5432, redis-local:6379, minio-local:9000).
Production/staging credentials must be injected via environment variables.
CTO review finding: appsettings.Development.json must not contain cloud
credentials. Local dev should always use docker-compose services.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Modified connection strings in appsettings.json for membership and storage services to use the new database host and credentials.
- Updated Redis configuration with new host, port, and authentication details.
- Changed JWT secret key to enhance security and updated issuer and audience settings for consistency across services.
- Introduced a new social-service in the Docker Compose configuration for local development, including build context, environment variables, and health checks.
- Updated architecture documentation to reflect the new storage service structure and its components, including user storage quotas and file management.
- Enhanced README files to provide clearer instructions on service setup, configuration, and API endpoints for file storage management.
- Implemented caching mechanisms in the IAM service client for improved performance and reduced latency in user information retrieval.
- Updated appsettings for development to include caching settings for IAM service interactions.
