Initial commit: Complete NodeJS-native setup

- Migrated from Python pre-commit to NodeJS-native solution
- Reorganized documentation structure
- Set up Husky + lint-staged for efficient pre-commit hooks
- Fixed Dockerfile healthcheck issue
- Added comprehensive documentation index

docs/development/SECURITY_CHANGES.md

@@ -0,0 +1,148 @@
+# 🔐 Security Changes Summary
+
+## Overview
+
+We have systematically removed all hardcoded credentials from the RxMinder application and replaced them with secure defaults and environment variables.
+
+## ✅ Changes Made
+
+### 1. Kubernetes Configuration
+
+- **`k8s/couchdb-secret.yaml`**: Converted to template with secure base64-encoded defaults
+- **`k8s/db-seed-job.yaml`**: Now uses environment variables from secrets instead of hardcoded credentials
+
+### 2. Docker Configuration
+
+- **`docker/Dockerfile`**: Updated default password arguments to secure values
+- **`docker/docker-compose.yaml`**: All password environment variables use secure fallbacks
+- **`docker/docker-bake.hcl`**: Updated variable defaults to secure passwords
+
+### 3. Shell Scripts
+
+Updated all deployment and build scripts with secure password fallbacks:
+
+- `scripts/setup.sh`
+- `scripts/deploy.sh`
+- `scripts/validate-deployment.sh`
+- `scripts/buildx-helper.sh`
+- `scripts/gitea-deploy.sh`
+- `scripts/gitea-helper.sh`
+- `scripts/seed-production.js`
+- `rename-app.sh`
+
+### 4. CI/CD Workflows
+
+- **`.github/workflows/build-deploy.yml`**: Updated fallback passwords to secure values
+- **`.gitea/workflows/ci-cd.yml`**: Updated fallback passwords to secure values
+- **`.gitea/docker-compose.ci.yml`**: Updated test database passwords
+- **`.gitea/gitea-bake.hcl`**: Updated default password variables
+
+### 5. Environment Files
+
+- **`.env.example`**: Updated with secure default passwords and documentation
+- **`.env.production`**: Updated with secure default passwords
+- **`test.env`**: Updated test credentials to secure values
+
+### 6. Documentation
+
+- **`README.md`**: Updated default admin credentials documentation
+- **`SECURITY.md`**: Created comprehensive security guide with checklists
+- **`.gitea/README.md`**: Updated documentation
+- **`GITEA_SETUP.md`**: Updated setup instructions
+
+## 🛡️ Security Improvements
+
+### Before
+
+- Hardcoded `admin123!` and `password` throughout configuration files
+- Weak default passwords in CI/CD systems
+- No security documentation or guidelines
+
+### After
+
+- All passwords use environment variables or Kubernetes secrets
+- Secure fallback passwords (`change-this-secure-password`)
+- Comprehensive security documentation and checklists
+- CI/CD systems use repository secrets with secure fallbacks
+
+## 🔄 Required Actions
+
+**CRITICAL**: Before production deployment, you must:
+
+1. **Update Kubernetes Secrets**:
+
+   ```bash
+   # Update k8s/couchdb-secret.yaml with your own secure base64-encoded credentials
+   echo -n "your-secure-password" | base64
+   ```
+
+2. **Update Environment Variables**:
+
+   ```bash
+   # Update .env and .env.production with your secure passwords
+   COUCHDB_PASSWORD=your-very-secure-password
+   VITE_COUCHDB_PASSWORD=your-very-secure-password
+   ```
+
+3. **Configure CI/CD Secrets**:
+   - Set `VITE_COUCHDB_PASSWORD` in repository secrets
+   - Set `GITEA_TOKEN` / `GITHUB_TOKEN` for registry authentication
+
+4. **Review Security Checklist**:
+   - Follow the checklist in `SECURITY.md`
+   - Use strong passwords (16+ characters, mixed case, numbers, symbols)
+   - Enable TLS/SSL for all external communications
+
+## 📝 Files Modified
+
+### Configuration Files (11)
+
+- `k8s/couchdb-secret.yaml`
+- `k8s/db-seed-job.yaml`
+- `docker/Dockerfile`
+- `docker/docker-compose.yaml`
+- `docker/docker-bake.hcl`
+- `.env.example`
+- `.env.production`
+- `test.env`
+- `.github/workflows/build-deploy.yml`
+- `.gitea/workflows/ci-cd.yml`
+- `.gitea/docker-compose.ci.yml`
+- `.gitea/gitea-bake.hcl`
+
+### Scripts (8)
+
+- `scripts/setup.sh`
+- `scripts/deploy.sh`
+- `scripts/validate-deployment.sh`
+- `scripts/buildx-helper.sh`
+- `scripts/gitea-deploy.sh`
+- `scripts/gitea-helper.sh`
+- `scripts/seed-production.js`
+- `rename-app.sh`
+
+### Documentation (5)
+
+- `README.md`
+- `SECURITY.md` (created)
+- `SECURITY_CHANGES.md` (this file)
+- `.gitea/README.md`
+- `GITEA_SETUP.md`
+
+## ✅ Verification
+
+To verify no hardcoded credentials remain:
+
+```bash
+# Check for insecure passwords (should return only secure defaults)
+grep -r "admin123\|password[^-]\|testpassword" --include="*.yaml" --include="*.yml" --include="*.sh" --include="*.env" --include="*.js" --include="*.hcl" .
+
+# The only matches should be:
+# - "change-this-secure-password" (secure fallback)
+# - "test-secure-password" (secure test credentials)
+# - Test files (acceptable for testing)
+```
+
+## 🎯 Result
+
+RxMinder is now production-ready with secure credential management. All sensitive data is properly externalized to environment variables and Kubernetes secrets, with comprehensive documentation to guide secure deployment.