From 220c6343d4bb39ac274ab029208d438449666d64 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 9 Jul 2026 13:07:35 +0000 Subject: [PATCH 1/2] Initial plan From b704f2a2a136ed315d1794c0bbe2667b88cd1eb9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 9 Jul 2026 13:14:21 +0000 Subject: [PATCH 2/2] fix: replace hardcoded POSTGRES_PASSWORD with runtime-generated random password MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitGuardian flagged the hardcoded 'postgres' password in the scratch Docker container setup. Replace it with a 16-byte cryptographically random hex string generated at runtime using Node's built-in crypto module. The password is only used for the disposable local scratch container and is never stored or transmitted — making it random also removes any misleading suggestion that 'postgres' is a meaningful credential here. Closes #450 --- scripts/generate-drift-manifest.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/generate-drift-manifest.ts b/scripts/generate-drift-manifest.ts index 65f107fc5..4d55a50c2 100644 --- a/scripts/generate-drift-manifest.ts +++ b/scripts/generate-drift-manifest.ts @@ -1,4 +1,5 @@ import { execFileSync } from "node:child_process"; +import { randomBytes } from "node:crypto"; import { readFileSync, writeFileSync } from "node:fs"; import { fileURLToPath } from "node:url"; @@ -63,7 +64,8 @@ async function main() { // not running — fine } const startedAt = Date.now(); - docker(["run", "-d", "--name", CONTAINER, "-e", "POSTGRES_PASSWORD=postgres", "-p", `${port}:5432`, image]); + const scratchPassword = randomBytes(16).toString("hex"); + docker(["run", "-d", "--name", CONTAINER, "-e", `POSTGRES_PASSWORD=${scratchPassword}`, "-p", `${port}:5432`, image]); try { // Wait for Postgres readiness (image init runs its own restarts; give it time).