security: S2 remove hardcoded DB password, S3 JWT already enforced, S4 remove localhost CORS

backend/db.py

@@ -17,7 +17,9 @@ PG_HOST = os.getenv("PG_HOST", "10.106.0.3")
 PG_PORT = int(os.getenv("PG_PORT", 5432))
 PG_DB = os.getenv("PG_DB", "arb_engine")
 PG_USER = os.getenv("PG_USER", "arb")
-PG_PASS = os.getenv("PG_PASS", "arb_engine_2026")
+PG_PASS = os.getenv("PG_PASS")
+if not PG_PASS:
+    raise RuntimeError("PG_PASS 未设置，请在 .env 或环境变量中注入数据库密码")
 
 PG_DSN = f"postgresql://{PG_USER}:{PG_PASS}@{PG_HOST}:{PG_PORT}/{PG_DB}"
 

backend/live_executor.py

@@ -41,7 +41,9 @@ BINANCE_ENDPOINTS = {
 BASE_URL = BINANCE_ENDPOINTS[TRADE_ENV]
 
 # 数据库
-_DB_PASSWORD = os.getenv("DB_PASSWORD", "arb_engine_2026" if TRADE_ENV == "testnet" else "")
+_DB_PASSWORD = os.getenv("DB_PASSWORD") or os.getenv("PG_PASS")
+if not _DB_PASSWORD:
+    raise RuntimeError("DB_PASSWORD / PG_PASS 未设置，请在 .env 或环境变量中注入数据库密码")
 if not _DB_PASSWORD:
     print("FATAL: DB_PASSWORD 未设置（生产环境必须配置）", file=sys.stderr)
     sys.exit(1)

backend/main.py

@@ -15,7 +15,7 @@ app = FastAPI(title="Arbitrage Engine API")
 
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["https://arb.zhouyangclaw.com", "http://localhost:3000", "http://localhost:3001"],
+    allow_origins=["https://arb.zhouyangclaw.com"],
     allow_methods=["*"],
     allow_headers=["*"],
 )

backend/risk_guard.py

@@ -39,7 +39,9 @@ BINANCE_ENDPOINTS = {
 }
 BASE_URL = BINANCE_ENDPOINTS[TRADE_ENV]
 
-_DB_PASSWORD = os.getenv("DB_PASSWORD", "arb_engine_2026" if TRADE_ENV == "testnet" else "")
+_DB_PASSWORD = os.getenv("DB_PASSWORD") or os.getenv("PG_PASS")
+if not _DB_PASSWORD:
+    raise RuntimeError("DB_PASSWORD / PG_PASS 未设置，请在 .env 或环境变量中注入数据库密码")
 if not _DB_PASSWORD:
     print("FATAL: DB_PASSWORD 未设置（生产环境必须配置）", file=sys.stderr)
     sys.exit(1)