Remove hardcoded secrets from public repo

- Replace hardcoded POSTGRES_PASSWORD, ADMIN_TOKEN, and L1 host IP
  with env var references in docker-compose.yml
- Remove default password fallback from database.py and app/config.py
- Update .env.example with required POSTGRES_PASSWORD, ADMIN_TOKEN, L1_HOST
- Update README to mark DATABASE_URL as required

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -23,7 +23,7 @@ services:
     image: postgres:16-alpine
     environment:
       - POSTGRES_USER=artdag
-      - POSTGRES_PASSWORD=artdag
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
       - POSTGRES_DB=artdag
     ports:
       - target: 5432
@@ -69,8 +69,8 @@ services:
       - .env
     environment:
       - REDIS_URL=redis://redis:6379/5
-      - DATABASE_URL=postgresql://artdag:artdag@postgres:5432/artdag
-      - ADMIN_TOKEN=artdag-admin-purge-token-2026
+      - DATABASE_URL=postgresql://artdag:${POSTGRES_PASSWORD}@postgres:5432/artdag
+      - ADMIN_TOKEN=${ADMIN_TOKEN}
       # IPFS_API multiaddr - used for all IPFS operations (add, cat, pin)
       - IPFS_API=/dns/ipfs/tcp/5001
       - CACHE_DIR=/data/cache
@@ -102,7 +102,7 @@ services:
     command: sh -c "find /app -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null; celery -A celery_app worker --loglevel=info -E"
     environment:
       - REDIS_URL=redis://redis:6379/5
-      - DATABASE_URL=postgresql://artdag:artdag@postgres:5432/artdag
+      - DATABASE_URL=postgresql://artdag:${POSTGRES_PASSWORD}@postgres:5432/artdag
       # IPFS_API multiaddr - used for all IPFS operations (add, cat, pin)
       - IPFS_API=/dns/ipfs/tcp/5001
       - CACHE_DIR=/data/cache
@@ -156,10 +156,10 @@ services:
     command: sh -c "cd /app && celery -A celery_app worker --loglevel=info -E -Q gpu,celery"
     environment:
       # GPU node is on different VPC - use public IPs for cross-node communication
-      - REDIS_URL=redis://138.68.142.139:16379/5
-      - DATABASE_URL=postgresql://artdag:artdag@138.68.142.139:15432/artdag
+      - REDIS_URL=redis://${L1_HOST}:16379/5
+      - DATABASE_URL=postgresql://artdag:${POSTGRES_PASSWORD}@${L1_HOST}:15432/artdag
       # Connect to shared IPFS node on CPU (via public IP)
-      - IPFS_API=/ip4/138.68.142.139/tcp/15001
+      - IPFS_API=/ip4/${L1_HOST}/tcp/15001
       # Gateway fallback for resilience
       - IPFS_GATEWAYS=https://ipfs.io,https://cloudflare-ipfs.com,https://dweb.link
       # Local cache is ephemeral (tmpfs or local volume)