--- issue: 115 title: "Frontend: real plaintext credentials in committed scripts/show-credentials.sh" severity: low domain: Security labels: [security, frontend, secrets, rotation-required] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend: real plaintext credentials in committed scripts/show-credentials.sh **Severity:** low **Domain:** Security **Labels:** security, frontend, secrets, rotation-required ## Description `frontend/scripts/show-credentials.sh:8` contains hardcoded credentials including the password `Moji6364`. If this account exists in any real environment, the password must be rotated. ## Options 1. Delete the scripts and rotate the password if the account is real. 2. Replace hardcoded creds with env-var prompts. 3. Keep scripts but move creds out and rotate. ## Recommendation Remove the hardcoded credentials (use env-var prompts instead) and rotate the account password if it exists in any real environment. ## Affected Files - `frontend/scripts/show-credentials.sh:8` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-75