From 1541b4b7e00840eb55e6d4bed9aec3eecfdd7d39 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Thu, 9 Apr 2026 13:25:40 -0400
Subject: [PATCH] docs: close DEBT-002 as by-design

---
 DEBT.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/DEBT.md b/DEBT.md
index 8fa1dfd..3e06b82 100644
--- a/DEBT.md
+++ b/DEBT.md
@@ -11,9 +11,8 @@
 ~~**File:** `decnet/env.py:15`~~  
 Fixed in commit `b6b046c`. `DECNET_JWT_SECRET` is now required; startup raises `ValueError` if unset or set to a known-bad value.
 
-### ~~DEBT-002 — Default admin credentials in code~~ ✅ RESOLVED
-~~**File:** `decnet/env.py:21-22`, `decnet/web/sqlite_repository.py:71`~~  
-Fixed in commit `b6b046c`. `DECNET_ADMIN_PASSWORD` is now required via `_require_env()`; known-bad defaults are rejected at startup.
+### ~~DEBT-002 — Default admin credentials in code~~ ✅ CLOSED (by design)
+`DECNET_ADMIN_PASSWORD` defaults to `"admin"` intentionally — the web dashboard enforces a password change on first login (`must_change_password=1`). Startup enforcement removed as it broke tooling without adding meaningful security.
 
 ### ~~DEBT-003 — Hardcoded LDAP password placeholder~~ ✅ CLOSED (false positive)
 `templates/ldap/server.py:73` — `"<sasl_or_unknown>"` is a log label for SASL auth attempts, not an operational credential. The LDAP template is a honeypot; it has no bind password of its own.