fix: remove hardcoded password hashes and improve code quality

Security fixes:
- Remove hardcoded password hash from SQL schema (security vulnerability)
- Replace with secure user creation via setup script
- Update all documentation to emphasize secure user creation practices

Code quality improvements:
- Fix SQL schema: use ENUM types and constants instead of duplicated literals
- Fix Dockerfile: sort package names alphabetically and merge RUN instructions
- Fix CI/CD: correct Node.js paths (ui/web -> src/ui/web) and update CodeQL actions

Documentation updates:
- Add security warnings about not hardcoding credentials
- Update README.md, DEPLOYMENT.md, QUICK_START.md, docs/secrets.md
- Emphasize use of setup script for secure user creation
- Add production security best practices

Author: T-DevH

DEPLOYMENT.md

@@ -65,17 +65,27 @@ PGPASSWORD=${POSTGRES_PASSWORD:-changeme} psql -h localhost -p 5435 -U warehouse
 
 ### 5. Create Default Users
 
+**⚠️ Security Note:** The SQL schema does not contain hardcoded password hashes. Users must be created using the setup script, which generates secure password hashes from environment variables.
+
 ```bash
 # Activate virtual environment
 source env/bin/activate
 
+# Set password via environment variable (optional, defaults to 'changeme' for development)
+export DEFAULT_ADMIN_PASSWORD=your-secure-password-here
+
 # Create default admin and user accounts
 python scripts/setup/create_default_users.py
 ```
 
 **Default Login Credentials:**
 - **Username:** `admin`
-- **Password:** `changeme` (or value of `DEFAULT_ADMIN_PASSWORD` env var)
+- **Password:** Value of `DEFAULT_ADMIN_PASSWORD` environment variable (default: `changeme` for development only)
+
+**⚠️ Production Security:**
+- Always set strong, unique passwords via environment variables
+- Never use default passwords in production
+- The setup script generates unique bcrypt hashes with random salts - no credentials are exposed in source code
 
 ### 6. (Optional) Install RAPIDS for GPU-Accelerated Forecasting
 

Dockerfile

@@ -39,8 +39,8 @@ WORKDIR /app
 
 # Install system dependencies
 RUN apt-get update && apt-get install -y \
-    gcc \
     g++ \
+    gcc \
     git \
     && rm -rf /var/lib/apt/lists/*
 
@@ -58,8 +58,8 @@ WORKDIR /app
 
 # Install runtime dependencies
 RUN apt-get update && apt-get install -y \
-    git \
     curl \
+    git \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy Python dependencies from backend-deps stage
@@ -86,8 +86,9 @@ ENV PYTHONUNBUFFERED=1
 COPY --from=frontend-builder /app/src/ui/web/build ./src/ui/web/build
 
 # Create non-root user for security
-RUN groupadd -r appuser && useradd -r -g appuser appuser
-RUN chown -R appuser:appuser /app
+RUN groupadd -r appuser && \
+    useradd -r -g appuser appuser && \
+    chown -R appuser:appuser /app
 USER appuser
 
 # Health check

QUICK_START.md

@@ -25,10 +25,12 @@ PGPASSWORD=${POSTGRES_PASSWORD:-changeme} psql -h localhost -p 5435 -U warehouse
 PGPASSWORD=${POSTGRES_PASSWORD:-changeme} psql -h localhost -p 5435 -U warehouse -d warehouse -f data/postgres/004_inventory_movements_schema.sql
 PGPASSWORD=${POSTGRES_PASSWORD:-changeme} psql -h localhost -p 5435 -U warehouse -d warehouse -f scripts/setup/create_model_tracking_tables.sql
 
-# Create default users
+# Create default users (generates secure password hashes from environment variables)
 python scripts/setup/create_default_users.py
 ```
 
+**⚠️ Security Note:** The SQL schema does not contain hardcoded password hashes. Users are created securely via the setup script using environment variables.
+
 **Note:** For detailed setup instructions, see [DEPLOYMENT.md](DEPLOYMENT.md)
 
 ### 2. Start Server
@@ -80,9 +82,10 @@ python scripts/setup/create_default_users.py
 ```
 
 **Password not working?**
-- Default password is `changeme`
-- Check your `.env` file for `DEFAULT_ADMIN_PASSWORD`
+- Default password is `changeme` (development only)
+- Check your `.env` file for `DEFAULT_ADMIN_PASSWORD` environment variable
 - Recreate users: `python scripts/setup/create_default_users.py`
+- **Note:** The SQL schema does not create users - they must be created via the setup script
 
 **Port already in use?**
 ```bash

README.md

@@ -258,14 +258,24 @@ PGPASSWORD=${POSTGRES_PASSWORD:-changeme} psql -h localhost -p 5435 -U warehouse
 
 ### Step 6: Create Default Users
 
+**⚠️ Security Note:** The SQL schema (`data/postgres/000_schema.sql`) does not contain hardcoded password hashes. Users must be created using the setup script, which generates secure password hashes from environment variables.
+
 ```bash
+# Set password via environment variable (optional, defaults to 'changeme' for development)
+export DEFAULT_ADMIN_PASSWORD=your-secure-password-here
+
 # Create default admin and operator users
 python scripts/setup/create_default_users.py
 ```
 
 **Default Credentials:**
-- **Admin user**: `admin` / `changeme` (role: admin)
-- **Operator user**: `user` / `changeme` (role: operator)
+- **Admin user**: `admin` / Value of `DEFAULT_ADMIN_PASSWORD` env var (default: `changeme` for development only)
+- **Operator user**: `user` / Value of `DEFAULT_USER_PASSWORD` env var (default: `changeme` for development only)
+
+**⚠️ Production Security:**
+- Always set strong, unique passwords via environment variables
+- Never use default passwords in production
+- The setup script generates unique bcrypt hashes with random salts - no credentials are exposed in source code
 
 ### Step 7: Install RAPIDS for GPU-Accelerated Forecasting
 

data/postgres/000_schema.sql

@@ -33,14 +33,25 @@ CREATE TABLE IF NOT EXISTS equipment_telemetry (
   value DOUBLE PRECISION NOT NULL
 );
 
+-- User role and status ENUM types
+DO $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'user_role') THEN
+    CREATE TYPE user_role AS ENUM ('admin', 'manager', 'supervisor', 'operator', 'viewer');
+  END IF;
+  IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'user_status') THEN
+    CREATE TYPE user_status AS ENUM ('active', 'inactive', 'suspended', 'pending');
+  END IF;
+END $$;
+
 -- User authentication and authorization tables
 CREATE TABLE IF NOT EXISTS users (
   id SERIAL PRIMARY KEY,
   username TEXT UNIQUE NOT NULL,
   email TEXT UNIQUE NOT NULL,
   full_name TEXT NOT NULL,
-  role TEXT NOT NULL CHECK (role IN ('admin', 'manager', 'supervisor', 'operator', 'viewer')),
-  status TEXT NOT NULL DEFAULT 'active' CHECK (status IN ('active', 'inactive', 'suspended', 'pending')),
+  role user_role NOT NULL,
+  status user_status NOT NULL DEFAULT 'active',
   hashed_password TEXT NOT NULL,
   created_at TIMESTAMPTZ DEFAULT now(),
   updated_at TIMESTAMPTZ DEFAULT now(),
@@ -109,16 +120,15 @@ ON CONFLICT (sku) DO UPDATE SET
   reorder_point = EXCLUDED.reorder_point,
   updated_at = now();
 
--- Sample users (passwords set via DEFAULT_ADMIN_PASSWORD env var, hashed with bcrypt)
-INSERT INTO users (username, email, full_name, role, status, hashed_password) VALUES
-  ('admin', 'admin@warehouse.com', 'System Administrator', 'admin', 'active', '$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewdBPj4J/8KzqK2a'),
-  ('manager1', 'manager1@warehouse.com', 'John Manager', 'manager', 'active', '$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewdBPj4J/8KzqK2a'),
-  ('supervisor1', 'supervisor1@warehouse.com', 'Jane Supervisor', 'supervisor', 'active', '$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewdBPj4J/8KzqK2a'),
-  ('operator1', 'operator1@warehouse.com', 'Bob Operator', 'operator', 'active', '$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewdBPj4J/8KzqK2a'),
-  ('viewer1', 'viewer1@warehouse.com', 'Alice Viewer', 'viewer', 'active', '$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewdBPj4J/8KzqK2a')
-ON CONFLICT (username) DO UPDATE SET
-  email = EXCLUDED.email,
-  full_name = EXCLUDED.full_name,
-  role = EXCLUDED.role,
-  status = EXCLUDED.status,
-  updated_at = now();
+-- Sample users should be created using the setup script: scripts/setup/create_default_users.py
+-- This script properly generates password hashes from environment variables and does not expose
+-- sensitive credentials in source code. Never hardcode password hashes in SQL files.
+--
+-- To create default users, run:
+--   python scripts/setup/create_default_users.py
+--
+-- The script uses the following environment variables:
+--   - DEFAULT_ADMIN_PASSWORD: Password for the admin user (default: 'changeme')
+--   - DEFAULT_USER_PASSWORD: Password for regular users (default: 'changeme')
+--
+-- For production deployments, always set strong passwords via environment variables.

docs/secrets.md

@@ -67,13 +67,48 @@ ERP_API_KEY=your-erp-api-key
 ## Security Best Practices
 
 1. **Never commit secrets to version control**
-2. **Use secrets management systems in production**
-3. **Rotate credentials regularly**
-4. **Use least privilege principle**
-5. **Enable audit logging**
-6. **Use secure communication protocols**
-7. **Implement proper access controls**
-8. **Regular security audits**
+2. **Never hardcode password hashes in SQL files or source code**
+   - Password hashes should be generated dynamically from environment variables
+   - Use the setup script (`scripts/setup/create_default_users.py`) to create users securely
+   - The SQL schema (`data/postgres/000_schema.sql`) does not contain hardcoded credentials
+3. **Use secrets management systems in production**
+4. **Rotate credentials regularly**
+5. **Use least privilege principle**
+6. **Enable audit logging**
+7. **Use secure communication protocols**
+8. **Implement proper access controls**
+9. **Regular security audits**
+
+## User Creation Security
+
+### ⚠️ Important: Never Hardcode Password Hashes
+
+**The SQL schema file (`data/postgres/000_schema.sql`) does NOT contain hardcoded password hashes or sample user data.** This is a security best practice to prevent credential exposure in source code.
+
+### Creating Users Securely
+
+Users must be created using the setup script, which:
+- Generates unique bcrypt hashes with random salts
+- Reads passwords from environment variables (never hardcoded)
+- Does not expose credentials in source code
+
+**To create default users:**
+```bash
+# Set password via environment variable
+export DEFAULT_ADMIN_PASSWORD=your-secure-password-here
+
+# Run the setup script
+python scripts/setup/create_default_users.py
+```
+
+**Environment Variables:**
+- `DEFAULT_ADMIN_PASSWORD` - Password for the admin user (default: `changeme` for development only)
+- `DEFAULT_USER_PASSWORD` - Password for regular users (default: `changeme` for development only)
+
+**For Production:**
+- Always set strong, unique passwords via environment variables
+- Never use default passwords in production
+- Consider using a secrets management system (AWS Secrets Manager, HashiCorp Vault, etc.)
 
 ## JWT Secret Configuration
 

scripts/README.md

@@ -226,13 +226,27 @@ Starts all development infrastructure services (PostgreSQL, Redis, Kafka, Milvus
 
 **Script:** `scripts/setup/create_default_users.py`
 
-Creates default users with proper password hashing.
+Creates default users with proper password hashing. This script:
+- Generates unique bcrypt password hashes with random salts
+- Reads passwords from environment variables (never hardcoded)
+- Does not expose credentials in source code
+- **Security:** The SQL schema does not contain hardcoded password hashes - users must be created via this script
 
 **Usage:**
 ```bash
+# Set password via environment variable (optional, defaults to 'changeme' for development)
+export DEFAULT_ADMIN_PASSWORD=your-secure-password-here
+
+# Create default users
 python scripts/setup/create_default_users.py
 ```
 
+**Environment Variables:**
+- `DEFAULT_ADMIN_PASSWORD` - Password for admin user (default: `changeme` for development only)
+- `DEFAULT_USER_PASSWORD` - Password for regular users (default: `changeme` for development only)
+
+**⚠️ Production:** Always set strong, unique passwords via environment variables. Never use default passwords in production.
+
 **SQL Script:** `scripts/setup/create_model_tracking_tables.sql`
 
 Creates tables for tracking model training history and predictions.