Devin
78e1ff5dc8
PR #3 scrubbed ***REDACTED-LEGACY-PW*** from every env file, compose unit, and deployment doc but missed scripts/setup-database.sh, which still hard- coded DB_PASSWORD="***REDACTED-LEGACY-PW***" on line 17. That slipped past gitleaks because the shell-escaped form (backslash-dollar) does not match the L@kers?\$?2010 regex committed in .gitleaks.toml -- the regex was written to catch the *expanded* form, not the source form. This commit removes the hardcoded default and requires DB_PASSWORD to be exported by the operator before running the script. Same pattern as the rest of the PR #3 conversion (fail-fast at boot when a required secret is unset) so there is no longer any legitimate reason for the password string to live in the repo. Verification: git grep -nE 'L@kers?\\?\$?2010' -- scripts/ # no matches bash -n scripts/setup-database.sh # clean
2.1 KiB
2.1 KiB