[H2] Bootstrap admin plaintext password written to .admin-credentials + info! log fallback #16
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: High
Component(s): server
Affected file(s):
server/src/main.rs(~lines 198-225)Problem:
The bootstrap admin plaintext password is written to
.admin-credentialsin the CWD, with aninfo!log fallback. The server deploys on Linux so0o600works; the residual risk is on-disk plaintext plus the log path.Recommended fix:
Have the operator supply the password via env/one-time input, or print-once and never persist; remove the log fallback.
Remediation phase: P0
From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H2) and REMEDIATION-PLAN.md (P0).