Skip to content

security: replace hardcoded credentials in seed.ts with env var references#9

Draft
Copilot wants to merge 3 commits into
masterfrom
copilot/replace-hardcoded-credentials
Draft

security: replace hardcoded credentials in seed.ts with env var references#9
Copilot wants to merge 3 commits into
masterfrom
copilot/replace-hardcoded-credentials

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 8, 2026
edited
Loading

  • Check current state of backend/.env.example
  • Add SEED_OWNER_PASSWORD, SEED_ADMIN_PASSWORD, SEED_PG_USER, SEED_PG_PASSWORD to backend/.env.example
  • NEO4J_USER and NEO4J_PASSWORD already present — no duplicate needed
Original prompt

Problem

A security audit identified multiple hardcoded credentials and secrets committed to source code in this repository. These must be replaced with environment variable references and safe placeholder values.

Files to Fix

1. backend/prisma/seed.ts

This file contains multiple hardcoded passwords that need to be replaced with environment variable references.

Line 681: Hardcoded owner password:

const ownerPasswordHash = await bcrypt.hash('DatacendiaOwner2024!', 12);

Fix: Replace with:

const ownerPasswordHash = await bcrypt.hash(process.env.SEED_OWNER_PASSWORD || 'CHANGE_ME_IN_ENV', 12);

Line 709: Hardcoded admin password:

const passwordHash = await bcrypt.hash('DatacendiaAdmin2024!', 12);

Fix: Replace with:

const passwordHash = await bcrypt.hash(process.env.SEED_ADMIN_PASSWORD || 'CHANGE_ME_IN_ENV', 12);

Lines 909-910: Hardcoded PostgreSQL credentials in seed data source:

credentials: {
    username: 'postgres',
    password: 'postgres',
},

Fix: Replace with:

credentials: {
    username: process.env.SEED_PG_USER || 'postgres',
    password: process.env.SEED_PG_PASSWORD || 'CHANGE_ME_IN_ENV',
},

Lines 944-945: Hardcoded Neo4j credentials in seed data source:

credentials: {
    username: 'neo4j',
    password: 'password',
},

Fix: Replace with:

credentials: {
    username: process.env.NEO4J_USER || 'neo4j',
    password: process.env.NEO4J_PASSWORD || 'CHANGE_ME_IN_ENV',
},

Lines 1942-1944: Remove hardcoded password from console output:

console.log('📋 Default Credentials:');
console.log('   Email: admin@datacendia.com');
console.log('   Password: DatacendiaAdmin2024!');

Fix: Replace with:

console.log('📋 Default Credentials:');
console.log('   Email: admin@datacendia.com');
console.log('   Password: (set via SEED_ADMIN_PASSWORD env var)');

2. src/lib/featureFlags.ts

Line ~16-17 in the datacendia-core version: The platform audit (from datacendia-components/reports/PLATFORM_AUDIT_2026_02_17.md line 178) flagged that this file had const UNLEASH_TOKEN = 'cendia-admin-token' hardcoded. Check the current state and ensure it reads from environment variables:

const UNLEASH_URL = import.meta.env.VITE_UNLEASH_URL || 'http://localhost:4242/api';
const UNLEASH_TOKEN = import.meta.env.VITE_UNLEASH_TOKEN || '';

If UNLEASH_TOKEN is already reading from import.meta.env.VITE_UNLEASH_TOKEN with an empty string fallback, no change is needed. If it still has 'cendia-admin-token' as the fallback, change the fallback to ''.

Summary of Changes Required

File Issue Fix
backend/prisma/seed.ts 4 hardcoded passwords + password in console log Replace with process.env.* references, remove password from console output
src/lib/featureFlags.ts Possibly hardcoded Unleash token (check current state) Ensure fallback is '' not 'cendia-admin-token'

Important Notes

  • Do NOT modify .env, .env.example, or any other files — only the files listed above.
  • Keep the same overall code structure/logic; only replace credential literals with environment variable lookups.
  • The empty string '' fallback for UNLEASH_TOKEN is intentional — in development without Unleash running, all flags default to false.
  • For seed passwords, use 'CHANGE_ME_IN_ENV' as the fallback to make it obvious the env var needs to be set.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Check for passwords or secrets

Assistant:

I'll check for any passwords, secrets, or sensitive credentials in your repositories. Let me search for common patterns.

Assistant: Here's a summary of the secrets and credentials findings across your datacendia/datacendia-core and datacendia/datacendia-components repositories:

🔴 HIGH SEVERITY — Hardcoded Credentials in Source Code

1. Hardcoded database passwords in scripts

host: 'localhost', port: 3306, user: 'root', password: 'cendia2025', database: 'clientdata'
host: 'localhost', port: 3307, user: 'root', password: 'cendia2025', database: 'analytics'

2. Hardcoded PostgreSQL connection string with password

connectionString: 'postgresql://datacendia:datacendia_secure_2024@localhost:5433/datacendia'

3. Hardcoded d...

This pull request was created from Copilot chat.

Copilot AI changed the title [WIP] Update hardcoded passwords to use environment variables security: replace hardcoded credentials in seed.ts with env var references Apr 8, 2026
Copilot AI requested a review from datacendia April 8, 2026 09:51
@datacendia
docs: add seed env vars to .env.example
f7cc0b8 
Agent-Logs-Url: https://github.com/datacendia/datacendia-core/sessions/16e7fbf6-8941-49ff-b309-5e8f1510b365

Co-authored-by: datacendia <247299412+datacendia@users.noreply.github.com>
datacendia added a commit that referenced this pull request Apr 15, 2026
@datacendia
docs: Datacendia Bible + complete Services Catalog + middleware diagr…
8fbae12 
…ams update

New documents:
- docs/DATACENDIA-BIBLE.md — master platform reference (18 sections: mission,
  architecture, all 25+ named products, 60 service domains, full middleware
  chain, 40+ compliance frameworks, security controls, data model, API structure,
  pricing tiers, deployment, demo data, inference layer, crypto evidence chain,
  audit/telemetry, integrations, roadmap, config variables)

- docs/architecture/services-catalog.md — comprehensive catalog of every service
  (17 Mermaid diagrams): Council deliberation state machine, compliance layer,
  inference provider chain, privacy DSR flow, legal services, governance, crypto
  evidence pipeline, security middleware chain, gateway 14-module architecture,
  analytics/intelligence/LLM services, sovereign/enterprise, simulation (COLLAPSE
  SGAS SCGE), vertical agents, ops/infra, platform services, connectors, full
  middleware stack with demoGuardMiddleware

Updated documents:
- docs/architecture/gateway-security.md — demoGuardMiddleware added to security
  diagram (#9 modules), sequence flow updated, new Demo Guard tenant protection
  flowchart added (diagram #5)
- docs/architecture/platform-overview.md — request flow updated to show full
  middleware chain: Auth + blockIfDemo① → Security → requireOrgScope +
  blockIfDemo② → aiRegulatoryMiddleware → Route
- docs/architecture/README.md — services-catalog added as doc #19, diagram
  count updated to ~90, Bible cross-link added
- ARCHITECTURE.md — request flow steps updated with requireOrgScope +
  demoGuardMiddleware (v0.2.4+)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@datacendia datacendia Awaiting requested review from datacendia

At least 1 approving review is required to merge this pull request.

Assignees

Copilot code review Copilot

@datacendia datacendia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@datacendia