Skip to content

fix: replace hardcoded POSTGRES_PASSWORD with runtime-generated random password#451

Merged
BigSimmo merged 4 commits into
mainfrom
copilot/fix-gitgguardian-secret-issue
Jul 9, 2026
Merged

fix: replace hardcoded POSTGRES_PASSWORD with runtime-generated random password#451
BigSimmo merged 4 commits into
mainfrom
copilot/fix-gitgguardian-secret-issue

Conversation

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

GitGuardian flagged a hardcoded POSTGRES_PASSWORD=postgres in the drift manifest generation script. While this only affects a disposable local scratch Docker container, the hardcoded credential triggers secret scanning alerts and sets a bad precedent.

Changes

  • scripts/generate-drift-manifest.ts: Import randomBytes from node:crypto and generate a 32-char hex password at runtime instead of using the hardcoded "postgres" literal
+import { randomBytes } from "node:crypto";
 ...
+const scratchPassword = randomBytes(16).toString("hex");
-docker(["run", "-d", "--name", CONTAINER, "-e", "POSTGRES_PASSWORD=postgres", ...]);
+docker(["run", "-d", "--name", CONTAINER, "-e", `POSTGRES_PASSWORD=${scratchPassword}`, ...]);

The password is only needed for container initialisation — subsequent psql calls use docker exec (peer/trust auth inside the container) and are unaffected.

Verification

  • npm run verify:cheap
  • npm run verify:ui when UI, routing, styling, browser behavior, reduced-motion, or forced-colors behavior changed
  • npm run verify:release before release or handoff confidence claims
  • npm run format:check
  • npm run eval:retrieval:quality (must stay 36/36) when retrieval, ranking, selection, chunking, or scoring behavior changed — CI cannot run it (needs live keys), so run it locally and paste the summary. A metadata/governance-weighting change once buried correct docs (recall 1.0→0.76) and only this eval caught it.
  • npm run eval:rag -- --limit 15 + npm run eval:quality -- --rag-only when answer generation, the synthesis prompt, or answer post-processing changed (grounded-supported must not drop; citation-failure 0)
  • npm run check:production-readiness when clinical workflow, privacy, environment, Supabase, source governance, or deployment behavior changed
  • npm run check:deployment-readiness when deployment startup, hosting, or rollout behavior changed

Clinical Governance Preflight

Complete this section when the change touches ingestion, answer generation, search/ranking, source rendering, document access, privacy, production env, or clinical output.

  • Source-backed claims still require linked source verification before clinical use
  • No patient-identifiable document workflow was introduced or expanded without explicit governance approval
  • Supabase target remains Clinical KB Database (sjrfecxgysukkwxsowpy)
  • Service-role keys and private document access remain server-only
  • Demo/synthetic content remains clearly separated from real clinical sources
  • Source metadata, review status, and outdated/unknown-source behavior remain conservative
  • Deployment classification/TGA SaMD impact was checked when clinical decision-support behavior changed

Notes

  • No new dependencies — node:crypto is a Node.js built-in.
  • CodeQL and secret scanning both pass clean after this change.

@supabase

supabase Bot commented Jul 9, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@BigSimmo
BigSimmo marked this pull request as ready for review July 9, 2026 13:09
@BigSimmo
BigSimmo enabled auto-merge (squash) July 9, 2026 13:09
…m password

GitGuardian flagged the hardcoded 'postgres' password in the scratch Docker
container setup. Replace it with a 16-byte cryptographically random hex
string generated at runtime using Node's built-in crypto module.

The password is only used for the disposable local scratch container and
is never stored or transmitted — making it random also removes any
misleading suggestion that 'postgres' is a meaningful credential here.

Closes #450
auto-merge was automatically disabled July 9, 2026 13:14

Head branch was pushed to by a user without write access

Copilot AI changed the title [WIP] Fix hardcoded secret detected by GitGuardian fix: replace hardcoded POSTGRES_PASSWORD with runtime-generated random password Jul 9, 2026
Copilot AI requested a review from BigSimmo July 9, 2026 13:16
@BigSimmo
BigSimmo enabled auto-merge (squash) July 9, 2026 13:17

@BigSimmo BigSimmo left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

foos

@BigSimmo
BigSimmo merged commit af72dbc into main Jul 9, 2026
8 checks passed
@BigSimmo
BigSimmo deleted the copilot/fix-gitgguardian-secret-issue branch July 9, 2026 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

#### ⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

2 participants