config: insecure defaults for `SECRET_KEY`, `FLASK_DEBUG`, and bind address

[fragres]

Hey — just wanted to flag a cluster of three settings that combine into something more dangerous than any one of them on its own.

AlphaFin/config.py:25-26:

SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-change-me')
DEBUG = str(os.getenv('FLASK_DEBUG', '1')).strip().lower() in ('1', 'true', 'yes', 'on')

AlphaFin/app.py:1000:

app.run(host='0.0.0.0', port=5002, debug=DEBUG, threaded=True, use_reloader=False)

What you get out of the box, with zero env vars set:

1. SECRET_KEY = 'dev-secret-change-me' — a publicly-known string in a public repo. Any session cookie signed by this key can be forged by anyone who reads this file. There's no startup check that warns when the default is in use.
2. DEBUG = True — and crucially, debug=True is passed straight through to app.run. Werkzeug's interactive debugger then pops up an in-browser Python console on any unhandled exception. With the PIN protection that newer Werkzeug ships, RCE requires guessing the PIN, but the PIN is derived from machine-stable values and has been shown to be brute-forceable in many real deployments. Older Werkzeug versions ship without a PIN.
3. host='0.0.0.0' — exposed on every interface, not loopback.

The three together mean: on first run, an attacker on the same network gets either session forgery (definitely) or a debugger console (likely).

Suggested change: default DEBUG to False, default host to 127.0.0.1, and have app.py sys.exit with a clear message if SECRET_KEY is still the placeholder when DEBUG=False.