security: move secrets to .env, never commit secrets to git

ecosystem.config.js

@@ -1,10 +1,19 @@
+require('dotenv').config({ path: __dirname + '/.env' });
+
+const HUB_SECRET = process.env.HUB_SECRET;
+if (!HUB_SECRET) throw new Error('HUB_SECRET not set in .env');
+
 module.exports = {
   apps: [
     {
       name: 'mcp-hub',
       script: 'src/index.js',
       cwd: '/workspace',
-      env: { NODE_ENV: 'development', PORT: 3000, HUB_AUTH: JSON.stringify({"sample-mcp": "cd36b91af1224e2d365ede4e32385ea03508b4bd4c05411e2fc76388d62c6886", "memory-mcp": "cd36b91af1224e2d365ede4e32385ea03508b4bd4c05411e2fc76388d62c6886"}) },
+      env: {
+        NODE_ENV: 'development',
+        PORT: 3000,
+        HUB_AUTH: JSON.stringify({ 'sample-mcp': HUB_SECRET, 'memory-mcp': HUB_SECRET })
+      },
       max_restarts: 10,
       restart_delay: 1000,
       log_date_format: 'YYYY-MM-DD HH:mm:ss Z',
@@ -14,7 +23,10 @@ module.exports = {
       name: 'sample-mcp',
       script: 'sample-mcp/index.js',
       cwd: '/workspace',
-      env: { NODE_ENV: 'development', MCP_SECRET: 'cd36b91af1224e2d365ede4e32385ea03508b4bd4c05411e2fc76388d62c6886' },
+      env: {
+        NODE_ENV: 'development',
+        MCP_SECRET: HUB_SECRET
+      },
       max_restarts: 10,
       restart_delay: 2000,
       log_date_format: 'YYYY-MM-DD HH:mm:ss Z',
@@ -26,7 +38,7 @@ module.exports = {
       cwd: '/workspace',
       env: {
         BRIDGE_SERVICE_ID: 'memory-mcp',
-        BRIDGE_SECRET: 'cd36b91af1224e2d365ede4e32385ea03508b4bd4c05411e2fc76388d62c6886',
+        BRIDGE_SECRET: HUB_SECRET,
         BRIDGE_HUB_URL: 'ws://localhost:3000/ws/register',
         BRIDGE_UPSTREAM_URL: 'https://memory-mcp.dbchat.ai/mcp/sse'
       },