[SECURITY] S2 — Hardcoded Postgres password in config.py:76

## Summary
Hardcoded Postgres password `'elvis_password'` found in `config/config.py` line 76.

## Risk
**HIGH** — Database credentials exposed in source code. Anyone with repo access can connect to the DB directly.

## Location
```python
# config/config.py:76
POSTGRES_PASSWORD = 'elvis_password'
```

## Fix
```python
POSTGRES_PASSWORD = os.environ.get('POSTGRES_PASSWORD') or vault.get_secret('postgres/password')
if not POSTGRES_PASSWORD:
    raise RuntimeError('POSTGRES_PASSWORD not set')
```

## Sprint
Sprint 1 — Story 1.2 (Security Hardening)

*Found by PM agent audit — Feb 17, 2026*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SECURITY] S2 — Hardcoded Postgres password in config.py:76 #11

Summary

Risk

Location

Fix

Sprint

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[SECURITY] S2 — Hardcoded Postgres password in config.py:76 #11

Description

Summary

Risk

Location

Fix

Sprint

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions