feat(config): block sensitive env overrides by suffix and add tests

- Add suffix-based, case-insensitive filter for sensitive env vars in `zainod/src/config.rs`:
  - Deny leaf keys ending with: `password`, `secret`, `token`, `cookie`, `private_key`.
  - Pre-filter `ZAINO_*` vars and pass sanitized map via `Environment::source(Some(filtered_env))` with `try_parsing(true)`.
- Keep non-sensitive fields overridable (e.g., `cookie_dir`, `tls_cert_path`, `tls_key_path`).
- Add tests in `zainod/tests/config.rs`:
  - `test_env_unknown_non_sensitive_key_is_ignored`
  - `test_env_unknown_sensitive_key_is_ignored`
  - `test_env_validator_password_is_ignored` (env does not override default)

Author: gustavovalverde

zainod/src/config.rs

@@ -20,6 +20,17 @@ use zaino_state::{BackendConfig, FetchServiceConfig, StateServiceConfig};
 
 use crate::error::IndexerError;
 
+/// Returns true if a leaf key name should be considered sensitive and blocked
+/// from environment variable overrides.
+fn is_sensitive_leaf_key(leaf_key: &str) -> bool {
+    let lower = leaf_key.to_ascii_lowercase();
+    lower.ends_with("password")
+        || lower.ends_with("secret")
+        || lower.ends_with("token")
+        || lower.ends_with("cookie")
+        || lower.ends_with("private_key")
+}
+
 /// Custom deserialization function for `SocketAddr` from a String.
 /// Used by Serde's `deserialize_with`.
 fn deserialize_socketaddr_from_string<'de, D>(deserializer: D) -> Result<SocketAddr, D::Error>
@@ -397,13 +408,39 @@ pub fn load_config(file_path: &Path) -> Result<IndexerConfig, IndexerError> {
         IndexerError::ConfigError(format!("Failed to create config from defaults: {e}"))
     })?;
 
+    // Build a filtered view of the process environment for ZAINO_* keys,
+    // removing sensitive-leaf overrides.
+    let mut filtered_env: std::collections::HashMap<String, String> =
+        std::collections::HashMap::new();
+    for (key, value) in std::env::vars() {
+        if !key.starts_with("ZAINO_") {
+            continue;
+        }
+
+        if let Some(without_prefix) = key.strip_prefix("ZAINO_") {
+            // Zaino uses flat env keys, but split on "__" for consistency with nested patterns.
+            let parts: Vec<&str> = without_prefix.split("__").collect();
+            if let Some(leaf) = parts.last() {
+                if is_sensitive_leaf_key(leaf) {
+                    continue;
+                }
+            }
+        }
+
+        filtered_env.insert(key, value);
+    }
+
     let parsed_config: IndexerConfig = config::Config::builder()
         // 1. Start with defaults (lowest precedence)
         .add_source(defaults_config)
         // 2. Override with TOML file values
         .add_source(config::File::from(file_path).required(true))
         // 3. Override with environment variables (highest precedence)
-        .add_source(config::Environment::with_prefix("ZAINO").try_parsing(true))
+        .add_source(
+            config::Environment::with_prefix("ZAINO")
+                .try_parsing(true)
+                .source(Some(filtered_env)),
+        )
         .build()
         .and_then(|config| config.try_deserialize())
         .map_err(|e| IndexerError::ConfigError(e.to_string()))?;

zainod/tests/config.rs

@@ -451,3 +451,48 @@ fn test_invalid_env_var_type() {
         assert!(msg.to_lowercase().contains("map_capacity") || msg.contains("invalid"));
     }
 }
+
+// --- Sensitive env deny-list behaviour ---
+
+#[test]
+fn test_env_unknown_non_sensitive_key_is_ignored() {
+    let env = EnvGuard::new();
+    let temp_dir = env.temp_dir();
+
+    let test_config_path = env.create_file(&temp_dir, "test_config.toml", "");
+    // Unknown non-sensitive key is ignored because IndexerConfig does not deny unknown fields
+    env.set_var("ZAINO_FOO", "bar");
+    let result = load_config(&test_config_path);
+    assert!(result.is_ok());
+}
+
+#[test]
+fn test_env_unknown_sensitive_key_is_ignored() {
+    let env = EnvGuard::new();
+    let temp_dir = env.temp_dir();
+
+    let test_config_path = env.create_file(&temp_dir, "test_config.toml", "");
+    // Unknown sensitive-suffix key should be filtered and not error
+    env.set_var("ZAINO_TOKEN", "supersecret");
+    let result = load_config(&test_config_path);
+    assert!(result.is_ok());
+}
+
+#[test]
+fn test_env_validator_password_is_ignored() {
+    let env = EnvGuard::new();
+    let temp_dir = env.temp_dir();
+
+    // Minimal config to satisfy required fields
+    let toml_str = r#"
+        network = "Testnet"
+    "#;
+    let path = env.create_file(&temp_dir, "base.toml", toml_str);
+
+    // Attempt to set validator_password via env; should be ignored
+    env.set_var("ZAINO_VALIDATOR_PASSWORD", "topsecret");
+
+    let cfg = load_config(&path).expect("config should load with filtered secret env");
+    // Default is Some("xxxxxx") per IndexerConfig::default(); env should not override
+    assert_eq!(cfg.validator_password, Some("xxxxxx".to_string()));
+}