The admin seeding function previously fell back to password 'admin' when
AUTH_PASS was unset, and accepted any value from .env.example including
the documented default 'change-me-on-first-login'. This meant a user who
copied .env.example without changing the password (or forgot to set
AUTH_PASS entirely) would have an instance running with publicly known
credentials.
The seeding function now:
- Skips seeding entirely if AUTH_PASS is not set (instead of defaulting
to 'admin')
- Checks AUTH_PASS against a blocklist of known insecure values
(admin, password, change-me-on-first-login, changeme, testpass123)
- Logs a clear warning explaining what to do in both cases
Existing instances that already have users in the database are not
affected — the seeding function only runs when the users table is empty.
Signed-off-by: Mark Liu <mark@prove.com.au>
* feat: add workspace-scoped auth sessions and core API filtering
* feat: extend workspace scoping to search status standup and messaging
* feat: scope agent connect github and alert workflows by workspace
* fix: scope status sync and session alerts by workspace
* feat: add phase2 workspace migration and scope chat pipeline alerts
* feat: add model selection for agents and cron jobs
* feat: add deterministic agent avatars to task and squad views
* feat: add read-only cron calendar and agenda views
* feat: render task descriptions with markdown
* fix: resolve all 44 failing CI E2E tests
- Bypass non-critical rate limiters in test env (MC_DISABLE_RATE_LIMIT=1)
to prevent 429s when 165 tests share the same IP bucket
- Make admin seed idempotent (INSERT OR IGNORE) to fix UNIQUE constraint
race when multiple Next.js workers initialize concurrently
- Add distinct x-forwarded-for headers to login-flow tests so they never
share the critical login rate-limit bucket with other test suites
- Add missing 018_token_usage migration that the heartbeat POST handler
depends on, fixing the 500 on inline token reporting
* docs: update README with latest features and test count
- Update migration count from 15 to 18
- Update E2E test count from 146 to 165
- Move Direct CLI, OpenAPI docs, and GitHub sync to completed roadmap
- Add Direct CLI and GitHub sync feature descriptions
- Add /api/connect and /api/github to API reference
- Remove resolved known limitation (vitest stubs)
- Update repo description
* fix: prevent build-time admin seed with wrong credentials in CI
Move `cp .env.test .env` before `pnpm build` in CI workflow so env vars
are present during build. Add NEXT_PHASE guard to skip seed during build
as belt-and-suspenders — env vars may not be available at build time.
Root cause: `next build` imports db.ts, triggering seedAdminUserFromEnv()
with undefined AUTH_USER/AUTH_PASS, seeding user `admin` instead of
`testadmin`. Runtime seed then sees count > 0 and skips. Tests login
as `testadmin` which doesn't exist → 401.
- Add `PRAGMA foreign_keys = ON` to db.ts — without this, all
ON DELETE CASCADE constraints across 7 tables are silently ignored
(SQLite disables foreign keys by default)
- Add migration 015 with indexes on hot query paths:
notifications(read_at), notifications(recipient, read_at),
activities(actor), activities(entity_type, entity_id),
messages(read_at)
Nyk
Mark Liu
nyk