Production security hardening and Docker configuration

Security Fixes:
- WebSocket CORS origin validation (production mode enforces AllowedOrigins)
- Path traversal prevention via filename sanitization
- SSRF protection with URL validation on all endpoints including GraphQL
- Request size limits (10MB JSON, 5GB files)
- Security headers (X-Frame-Options, CSP, X-Content-Type-Options)
- Graceful shutdown with batch job cancellation
- Non-leaking error messages in production

Docker Improvements:
- Dockerfile defaults to CLOUD_MODE=false for production security
- Removed weak default passwords from compose files
- Added secrets-manager.sh for proper secret generation
- Added Prometheus and Grafana monitoring configs
- Health checks use environment-based passwords

Code Quality:
- Added unit tests for config, ffmpeg, middleware
- HTTP server timeouts (read: 30s, write: 5min, idle: 120s)
- UUID validation on job IDs
- Context cancellation for batch processing

Repository Cleanup:
- Updated .gitignore for public repo (removed internal docs)
- Added docker-image configs to version control
- Removed sensitive audit/deployment files from tracking

Author: alokemajumder

.env.production.template

@@ -0,0 +1,361 @@
+# Production Environment Configuration for FFprobe API
+# CRITICAL: Change all default values before deploying to production!
+
+# =============================================================================
+# DEPLOYMENT METADATA
+# =============================================================================
+VERSION=1.0.0
+BUILD_DATE=
+VCS_REF=
+TARGETPLATFORM=linux/amd64
+
+# =============================================================================
+# DOMAIN AND NETWORKING
+# =============================================================================
+DOMAIN=your-domain.com
+API_PORT=8080
+EXTERNAL_HTTP_PORT=80
+EXTERNAL_HTTPS_PORT=443
+
+# =============================================================================
+# SECURITY CONFIGURATION
+# =============================================================================
+
+# API Authentication (CRITICAL: Change in production)
+# Generate with: openssl rand -hex 32
+API_KEY=CHANGE_ME_32_CHARS_MINIMUM_SECRET_KEY_HERE_PROD
+
+# JWT Secret (CRITICAL: Change in production)  
+# Generate with: openssl rand -hex 32
+JWT_SECRET=CHANGE_ME_32_CHARS_MINIMUM_JWT_SECRET_HERE_PROD
+
+# Encryption Key (CRITICAL: Change in production)
+# Generate with: openssl rand -hex 32
+ENCRYPTION_KEY=CHANGE_ME_32_CHARS_MINIMUM_ENCRYPTION_KEY_PROD
+
+# Security Features
+ENABLE_AUTH=true
+ENABLE_RATE_LIMIT=true
+ENABLE_CSRF=true
+ENABLE_CORS=false
+CORS_ORIGINS=https://your-domain.com,https://admin.your-domain.com
+
+# SSL/TLS Configuration
+SSL_CERT_PATH=/etc/ssl/certs/your-domain.crt
+SSL_KEY_PATH=/etc/ssl/private/your-domain.key
+SSL_CHAIN_PATH=/etc/ssl/certs/your-domain-chain.crt
+
+# =============================================================================
+# DATABASE CONFIGURATION
+# =============================================================================
+
+# PostgreSQL Primary
+POSTGRES_HOST=postgres
+POSTGRES_PORT=5432
+POSTGRES_DB=ffprobe_production
+POSTGRES_USER=ffprobe_prod
+# Generate with: openssl rand -base64 32
+POSTGRES_PASSWORD=CHANGE_ME_STRONG_DATABASE_PASSWORD_HERE
+
+# Database Connection Pool
+DB_MAX_CONNECTIONS=50
+DB_MAX_IDLE_CONNECTIONS=10
+DB_CONNECTION_TIMEOUT=30s
+DB_IDLE_TIMEOUT=30m
+
+# SSL Mode (require, verify-ca, verify-full)
+POSTGRES_SSL_MODE=require
+
+# =============================================================================
+# REDIS CONFIGURATION
+# =============================================================================
+
+# Redis Primary
+REDIS_HOST=redis
+REDIS_PORT=6379
+REDIS_DB=0
+# Generate with: openssl rand -base64 32
+REDIS_PASSWORD=CHANGE_ME_STRONG_REDIS_PASSWORD_HERE
+
+# Redis Connection Pool
+REDIS_MAX_CONNECTIONS=20
+REDIS_MIN_IDLE_CONNECTIONS=5
+REDIS_CONNECTION_TIMEOUT=10s
+
+# =============================================================================
+# APPLICATION CONFIGURATION
+# =============================================================================
+
+# Environment
+GO_ENV=production
+LOG_LEVEL=warn
+LOG_FORMAT=json
+DEBUG_MODE=false
+
+# File Processing
+MAX_FILE_SIZE=53687091200
+MAX_CONCURRENT_UPLOADS=10
+UPLOAD_TIMEOUT=3600
+PROCESSING_TIMEOUT=7200
+CLEANUP_TEMP_FILES=true
+
+# Rate Limiting
+RATE_LIMIT_REQUESTS_PER_MINUTE=100
+RATE_LIMIT_BURST_SIZE=20
+RATE_LIMIT_ENABLE_SLIDING_WINDOW=true
+
+# =============================================================================
+# STORAGE AND DATA PATHS
+# =============================================================================
+
+# Primary data directory (ensure this exists and has proper permissions)
+DATA_PATH=/opt/ffprobe/data
+
+# SSL certificates directory
+SSL_PATH=/opt/ffprobe/ssl
+
+# Application directories (auto-created relative to DATA_PATH)
+UPLOAD_DIR=/opt/ffprobe/data/uploads
+REPORTS_DIR=/opt/ffprobe/data/reports
+TEMP_DIR=/opt/ffprobe/data/temp
+CACHE_DIR=/opt/ffprobe/data/cache
+BACKUP_DIR=/opt/ffprobe/data/backup
+LOG_DIR=/opt/ffprobe/data/logs
+
+# =============================================================================
+# MONITORING AND OBSERVABILITY
+# =============================================================================
+
+# Metrics and Monitoring
+ENABLE_METRICS=true
+ENABLE_TRACING=true
+METRICS_PORT=9090
+PROMETHEUS_RETENTION_TIME=30d
+PROMETHEUS_RETENTION_SIZE=10GB
+
+# Grafana
+GRAFANA_PASSWORD=CHANGE_ME_STRONG_GRAFANA_PASSWORD_HERE
+GRAFANA_ADMIN_USER=admin
+
+# Health Checks
+HEALTH_CHECK_TIMEOUT=10s
+HEALTH_CHECK_INTERVAL=30s
+STARTUP_PROBE_TIMEOUT=60s
+
+# Logging
+ENABLE_ACCESS_LOGGING=true
+ENABLE_AUDIT_LOGGING=true
+LOG_RETENTION_DAYS=90
+
+# =============================================================================
+# EXTERNAL SERVICES
+# =============================================================================
+
+# Email Configuration (for notifications)
+SMTP_HOST=smtp.your-provider.com
+SMTP_PORT=587
+[email protected]
+SMTP_PASSWORD=CHANGE_ME_SMTP_PASSWORD
+[email protected]
+SMTP_TLS=true
+
+# Cloud Storage (if using)
+# AWS S3
+AWS_REGION=us-east-1
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+S3_BUCKET_NAME=ffprobe-production-storage
+
+# Google Cloud Storage  
+GCS_PROJECT_ID=
+GCS_BUCKET_NAME=ffprobe-production-storage
+GOOGLE_APPLICATION_CREDENTIALS=/opt/ffprobe/config/gcs-credentials.json
+
+# Azure Blob Storage
+AZURE_STORAGE_ACCOUNT=
+AZURE_STORAGE_KEY=
+AZURE_CONTAINER_NAME=ffprobe-production
+
+# =============================================================================
+# PERFORMANCE TUNING
+# =============================================================================
+
+# Go Runtime
+GOMAXPROCS=0
+GOGC=100
+GOMEMLIMIT=8GiB
+
+# Docker Resource Limits (used by compose files)
+API_MEMORY_LIMIT=16G
+API_CPU_LIMIT=8.0
+API_MEMORY_RESERVATION=8G
+API_CPU_RESERVATION=4.0
+
+DB_MEMORY_LIMIT=4G
+DB_CPU_LIMIT=4.0
+DB_MEMORY_RESERVATION=2G
+DB_CPU_RESERVATION=2.0
+
+REDIS_MEMORY_LIMIT=2G
+REDIS_CPU_LIMIT=2.0
+REDIS_MEMORY_RESERVATION=1G
+REDIS_CPU_RESERVATION=1.0
+
+# =============================================================================
+# BACKUP AND DISASTER RECOVERY
+# =============================================================================
+
+# Backup Configuration
+ENABLE_AUTO_BACKUP=true
+BACKUP_SCHEDULE=0 2 * * *
+BACKUP_RETENTION_DAYS=30
+BACKUP_COMPRESSION=true
+BACKUP_ENCRYPTION=true
+
+# Backup Storage
+BACKUP_STORAGE_TYPE=local
+BACKUP_S3_BUCKET=ffprobe-backups-production
+BACKUP_ENCRYPTION_KEY=CHANGE_ME_BACKUP_ENCRYPTION_KEY_32_CHARS
+
+# =============================================================================
+# NOTIFICATIONS AND ALERTS
+# =============================================================================
+
+# Slack Notifications
+SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK
+SLACK_CHANNEL=#ffprobe-alerts
+ENABLE_SLACK_ALERTS=true
+
+# PagerDuty Integration
+PAGERDUTY_INTEGRATION_KEY=
+ENABLE_PAGERDUTY_ALERTS=false
+
+# Email Alerts
+[email protected],[email protected]
+ENABLE_EMAIL_ALERTS=true
+
+# =============================================================================
+# DEVELOPMENT AND DEBUG (Production: Keep disabled)
+# =============================================================================
+
+# Debug Features (NEVER enable in production)
+ENABLE_PPROF=false
+ENABLE_DEBUG_ENDPOINTS=false
+ENABLE_COLORS=false
+
+# Development Tools (NEVER enable in production)
+ENABLE_HOT_RELOAD=false
+ENABLE_MOCK_AUTH=false
+SKIP_AUTH_FOR_HEALTH=true
+
+# =============================================================================
+# COMPLIANCE AND AUDIT
+# =============================================================================
+
+# GDPR Compliance
+ENABLE_GDPR_MODE=true
+DATA_RETENTION_DAYS=365
+ENABLE_RIGHT_TO_DELETE=true
+
+# Audit Logging
+AUDIT_LOG_LEVEL=info
+AUDIT_LOG_RETENTION_DAYS=2555  # 7 years
+ENABLE_DATA_ACCESS_LOGGING=true
+
+# Privacy
+ANONYMIZE_IP_ADDRESSES=true
+ENABLE_PRIVACY_MODE=true
+
+# =============================================================================
+# FEATURE FLAGS
+# =============================================================================
+
+# API Features
+ENABLE_BATCH_PROCESSING=true
+ENABLE_WEBHOOK_CALLBACKS=true
+ENABLE_QUALITY_ANALYSIS=true
+ENABLE_HLS_ANALYSIS=true
+ENABLE_LLM_INTEGRATION=false
+
+# Storage Features
+ENABLE_CLOUD_STORAGE=false
+ENABLE_CDN_INTEGRATION=false
+ENABLE_STORAGE_COMPRESSION=true
+
+# Advanced Features
+ENABLE_AI_ANALYSIS=false
+ENABLE_VIDEO_THUMBNAILS=true
+ENABLE_SUBTITLE_EXTRACTION=true
+
+# =============================================================================
+# THIRD-PARTY INTEGRATIONS
+# =============================================================================
+
+# Content Delivery Network
+CDN_PROVIDER=cloudflare
+CDN_API_KEY=
+CDN_ZONE_ID=
+
+# Analytics
+GOOGLE_ANALYTICS_ID=
+ENABLE_USAGE_ANALYTICS=false
+
+# Error Tracking
+SENTRY_DSN=
+ENABLE_ERROR_TRACKING=false
+
+# =============================================================================
+# MAINTENANCE AND OPERATIONS
+# =============================================================================
+
+# Maintenance Windows
+MAINTENANCE_MODE=false
+MAINTENANCE_MESSAGE="System maintenance in progress"
+MAINTENANCE_ALLOWED_IPS=127.0.0.1,10.0.0.0/8
+
+# Operational Settings
+ENABLE_GRACEFUL_SHUTDOWN=true
+SHUTDOWN_TIMEOUT=30s
+STARTUP_DELAY=0s
+
+# Resource Cleanup
+CLEANUP_INTERVAL=1h
+TEMP_FILE_MAX_AGE=24h
+CACHE_MAX_AGE=7d
+
+# =============================================================================
+# VALIDATION CHECKSUMS (for deployment verification)
+# =============================================================================
+
+# Generate these during deployment
+DEPLOYMENT_CHECKSUM=
+CONFIG_CHECKSUM=
+BINARY_CHECKSUM=
+
+# =============================================================================
+# DEPLOYMENT NOTES
+# =============================================================================
+
+# Required Actions Before Production Deployment:
+# 1. Change ALL passwords and secrets above
+# 2. Create SSL certificates and place in SSL_PATH
+# 3. Create DATA_PATH directory with proper permissions (755, owner: 1001:1001)
+# 4. Configure firewall rules for exposed ports
+# 5. Set up monitoring alerts
+# 6. Configure backup storage
+# 7. Test disaster recovery procedures
+# 8. Update DNS records
+# 9. Configure load balancer health checks
+# 10. Validate security scanning results
+
+# Security Checklist:
+# [ ] All default passwords changed
+# [ ] SSL certificates installed and valid
+# [ ] Firewall configured
+# [ ] Rate limiting tested
+# [ ] Authentication working
+# [ ] HTTPS redirects configured
+# [ ] Security headers enabled
+# [ ] Vulnerability scan completed
+# [ ] Penetration testing completed
+# [ ] Backup and restore tested