From 9b0e5cef5c3fc7d587ae54c2587e0cdea3c4bf6a Mon Sep 17 00:00:00 2001
From: Abhimanyu Saharan <asaharan@onemindservices.com>
Date: Mon, 2 Feb 2026 19:59:02 +0530
Subject: [PATCH] Do not hardcode DB password in reset script

---
 backend/scripts/reset_db.sh | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/backend/scripts/reset_db.sh b/backend/scripts/reset_db.sh
index 08284d07..5a8e0e7d 100755
--- a/backend/scripts/reset_db.sh
+++ b/backend/scripts/reset_db.sh
@@ -5,10 +5,39 @@ DB_NAME=${DB_NAME:-openclaw_agency}
 DB_USER=${DB_USER:-postgres}
 DB_HOST=${DB_HOST:-127.0.0.1}
 DB_PORT=${DB_PORT:-5432}
-DB_PASSWORD=${DB_PASSWORD:-REDACTED}
+
+# Never hardcode passwords in git. Prefer:
+#   - DB_PASSWORD env var, or
+#   - infer from backend/.env DATABASE_URL
+DB_PASSWORD=${DB_PASSWORD:-}
 
 cd "$(dirname "$0")/.."
 
+if [[ -z "${DB_PASSWORD}" ]] && [[ -f .env ]]; then
+  DB_PASSWORD=$(python3 - <<'PY'
+import os
+from pathlib import Path
+from urllib.parse import urlparse
+
+def parse_database_url(url: str) -> str:
+    # supports postgresql+psycopg://user:pass@host:port/db
+    u = urlparse(url)
+    return u.password or ""
+
+for line in Path('.env').read_text().splitlines():
+    if line.startswith('DATABASE_URL='):
+        print(parse_database_url(line.split('=',1)[1].strip()))
+        break
+PY
+)
+fi
+
+if [[ -z "${DB_PASSWORD}" ]]; then
+  echo "ERROR: DB_PASSWORD not set and could not infer it from backend/.env DATABASE_URL" >&2
+  echo "Set DB_PASSWORD=... or create backend/.env with DATABASE_URL" >&2
+  exit 2
+fi
+
 export PGPASSWORD="$DB_PASSWORD"
 
 # 1) wipe schema