🛡️ Sentinel: [CRITICAL] Fix hardcoded admin credentials

[seonghobae]

🚨 Severity: CRITICAL
💡 Vulnerability: Hardcoded ADMIN_USERNAME and ADMIN_PASSWORD were present in the source code (packages/web/src/lib/server/admin-auth.ts). This is a critical security vulnerability, as anyone with access to the source code (or decompiled artifacts) could obtain the admin credentials and gain unauthorized access.
🎯 Impact: An attacker with these credentials could bypass authentication, accessing the admin panel and performing unauthorized actions, potentially compromising user data and system integrity.
🔧 Fix:

• Removed the hardcoded credentials from packages/web/src/lib/server/admin-auth.ts.
• Configured the application to read these values from environment variables (env.ADMIN_USERNAME, env.ADMIN_PASSWORD).
• Added validation for these variables using Zod in packages/web/src/lib/server/env.ts, ensuring they are non-empty strings (using .trim().min(N)).
• Updated .env.example with secure placeholders to guide developers during setup.
• Updated .github/workflows/ci.yml to inject placeholder values for these required environment variables, ensuring the CI build continues to pass.
  ✅ Verification:
• Verified locally that the code compiles successfully without the hardcoded variables.
• Verified that pnpm --filter @argos/web build succeeds when the required environment variables are set.
• Ensured tests continue to run.

---

PR created automatically by Jules for task 17384522501331634607 started by @seonghobae

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Warning

Review limit reached

@seonghobae, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 14 minutes. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d39545a7-4c77-48e2-a898-08ec9f73e3c6

📥 Commits

Reviewing files that changed from the base of the PR and between 2e92fa8 and 07e3806.

📒 Files selected for processing (3)

• .jules/sentinel.md
• packages/web/src/app/api/admin/login/route.ts
• packages/web/src/lib/server/admin-auth.ts

📝 Walkthrough

Walkthrough

하드코딩된 관리자 사용자명(admin)과 비밀번호를 환경 변수로 변경합니다. 환경 스키마에 필드를 추가하여 최소 길이 검증을 적용하고, 관리자 인증 모듈이 env 기반 값을 사용하도록 수정합니다.

Changes

관리자 자격 증명 환경 설정

Layer / File(s)	Summary
환경 스키마 및 관리자 자격 증명 검증 packages/web/src/lib/server/env.ts	EnvSchema에 ADMIN_USERNAME과 ADMIN_PASSWORD를 추가하여 각각 최소 1자, 8자 이상의 트림된 문자열로 검증합니다.
관리자 인증에서 환경 변수 사용 packages/web/src/lib/server/admin-auth.ts	ADMIN_USERNAME과 ADMIN_PASSWORD를 하드코딩 값에서 env 객체 기반 참조로 변경합니다.
환경 예시, CI 워크플로우, 보안 문서 packages/web/.env.example, .github/workflows/ci.yml, .jules/sentinel.md	.env.example에 관리자 변수 예시를 추가하고, CI 빌드 단계에 환경 변수를 구성하며, 하드코딩된 시크릿의 보안 위험을 문서화합니다.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 분

Poem

🐰 하드코딩 안녕, 환경변수 환영!
비밀번호는 안전한 집으로 이사 가고,
Zod의 검증이 든든한 파수꾼,
관리자 계정도 환경에 맡기니
노 하드코딩, 노 문제! 🔐✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	PR 제목이 변경 사항의 핵심을 명확하게 설명하고 있습니다. 하드코딩된 관리자 자격 증명 문제를 수정하는 것이 주요 변경 내용입니다.
Description check	✅ Passed	PR 설명이 변경 사항과 완전히 관련이 있으며, 보안 취약점, 수정 사항, 검증 방법을 상세히 설명하고 있습니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-hardcoded-admin-credentials-17384522501331634607

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch sentinel-fix-hardcoded-admin-credentials-17384522501331634607

Warning

Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/web/src/lib/server/env.ts`:
- Line 8: Session validation breaks when ADMIN_USERNAME contains '.' because
admin session format in admin-auth.ts is username.expiresAt.nonce.signature and
validation splits on '.' expecting 4 parts; update the ADMIN_USERNAME schema in
env.ts to forbid dots (e.g., require no '.' via a regex or refine) so usernames
like "admin.ops" cannot be created, and ensure the change references
ADMIN_USERNAME and the session creation/validation logic in admin-auth.ts to
keep the 4-part split invariant.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e0e77c05-aa3a-4730-9d03-cdbd5ad8b72d

📥 Commits

Reviewing files that changed from the base of the PR and between cdf4ce8 and 2e92fa8.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .jules/sentinel.md
• packages/web/.env.example
• packages/web/src/lib/server/admin-auth.ts
• packages/web/src/lib/server/env.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

ADMIN_USERNAME에 . 허용 시 관리자 세션 검증이 깨집니다.

packages/web/src/lib/server/admin-auth.ts의 세션 값은 username.expiresAt.nonce.signature 형태로 생성되고(Line 40), 검증 시 split('.') 결과를 4개로 고정 검사합니다(Line 64).
현재 스키마는 ADMIN_USERNAME에 .를 허용하므로(예: admin.ops), 정상 로그인 후에도 세션이 항상 무효 처리될 수 있습니다.

🔧 제안 수정

 const EnvSchema = z.object({
   DATABASE_URL: z.string().min(1),
   DIRECT_URL: z.string().min(1),
   JWT_SECRET: z.string().min(32),
-  ADMIN_USERNAME: z.string().trim().min(1),
+  ADMIN_USERNAME: z
+    .string()
+    .trim()
+    .min(1)
+    .regex(/^[^.]+$/, 'ADMIN_USERNAME must not contain "."'),
   ADMIN_PASSWORD: z.string().trim().min(8),
 })

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/lib/server/env.ts` at line 8, Session validation breaks when
ADMIN_USERNAME contains '.' because admin session format in admin-auth.ts is
username.expiresAt.nonce.signature and validation splits on '.' expecting 4
parts; update the ADMIN_USERNAME schema in env.ts to forbid dots (e.g., require
no '.' via a regex or refine) so usernames like "admin.ops" cannot be created,
and ensure the change references ADMIN_USERNAME and the session
creation/validation logic in admin-auth.ts to keep the 4-part split invariant.

[seonghobae]

최신 upstream/main 기준으로 이 PR은 82개 파일의 stale diff를 포함합니다. 특히 .claude agent/skill 파일 삭제와 오래된 워크플로우/lockfile/env 변경이 섞여 있어 그대로 유지하거나 upstream에 올리면 이미 반영된 변경을 되돌릴 위험이 큽니다.

현재 큐는 upstream #30 → upstream #21 순서로 정리 중입니다. 이 PR의 아이디어가 여전히 필요하면 최신 upstream/main에서 단일 목적 브랜치로 깨끗하게 다시 추출하겠습니다. stale PR로 닫습니다.

[google-labs-jules]

최신 upstream/main 기준으로 이 PR은 82개 파일의 stale diff를 포함합니다. 특히 .claude agent/skill 파일 삭제와 오래된 워크플로우/lockfile/env 변경이 섞여 있어 그대로 유지하거나 upstream에 올리면 이미 반영된 변경을 되돌릴 위험이 큽니다.

현재 큐는 upstream #30 → upstream #21 순서로 정리 중입니다. 이 PR의 아이디어가 여전히 필요하면 최신 upstream/main에서 단일 목적 브랜치로 깨끗하게 다시 추출하겠습니다. stale PR로 닫습니다.

Understood. Acknowledging that this PR is closed as obsolete and stopping work on this task.