Hardcoded mock users (including admin) with shared static password hash in \�pps/api/src/modules/auth/service.ts:32-42,59-67\ enable predictable login paths.
Risk: Known credentials allow unauthorized admin access.
Fix: Remove mock auth from runtime, use real user store, rotate creds, add env-guard to block mock mode in production.
Source: Security audit
Hardcoded mock users (including admin) with shared static password hash in \�pps/api/src/modules/auth/service.ts:32-42,59-67\ enable predictable login paths.
Risk: Known credentials allow unauthorized admin access.
Fix: Remove mock auth from runtime, use real user store, rotate creds, add env-guard to block mock mode in production.
Source: Security audit