chore(docs): standardize public messaging and claims boundary

[chrismaz11]

Standardizes canonical public messaging language and claims-boundary framing across README and boundary/security docs.\n\nScope:\n- README product-intro canonicalization\n- public security summary opening section normalization\n- public/private boundary responsibility wording update\n\nNo code-path or runtime behavior changes.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
trustsignal	Ready	Preview, Comment	Mar 27, 2026 10:11pm

In general, to fix “password hash with insufficient computational effort,” replace fast hash constructions (like md5, sha1, sha256 / HMAC alone) with a password hashing / key‑derivation function designed to be slow and optionally memory‑hard, such as bcrypt, scrypt, PBKDF2, or Argon2. These functions drastically increase the cost of offline guessing attacks if the derived values are exposed.

For this specific code, the best fix with minimal behavioral change is:

• Keep the idea of a deterministic API‑key fingerprint, but derive it using a KDF that supports configurable iterations, such as crypto.pbkdf2Sync with HMAC‑SHA256.
• Use the existing secret (API_KEY_FINGERPRINT_SECRET or the development fallback) as the PBKDF2 salt input, and the API key as the password input.
• Configure a modest but non‑trivial iteration count that is acceptable for this use (for example 100,000) and a small output length (e.g., 16 bytes, then hex‑encode and slice to 16 characters to preserve the current external representation size).
• Keep the return type and shape the same (a 16‑character hex string) so that callers (requireApiKeyScope and getApiRateLimitKey) continue to work without further changes.

Concretely, in apps/api/src/security.ts:

• Add pbkdf2Sync to the existing import from node:crypto.
• Update fingerprintApiKey to use pbkdf2Sync instead of createHmac. The function will still return a 16‑char hex string, but now derived using PBKDF2 with sufficient iterations.

No other files or call sites need functional changes.

---

In general, the problem is that the script-removal regex only matches </script> with no trailing whitespace or attributes. To fix this while keeping the behavior the same otherwise, expand the closing-tag part of the regex to allow optional whitespace and attributes before the closing >. We should also keep it case-insensitive and non-greedy, as in the original.

The best minimal change is to adjust only the first .replace in stripHtml:

• From: /\<script[\s\S]*?<\/script>/gi
• To: /\<script\b[\s\S]*?<\/script\b[^>]*>/gi

Changes:

• Add \b after script in the opening tag to avoid matching longer words.
• Change the closing tag to </script\b[^>]*> to permit variants such as </script >, </script foo="bar">, and with odd spacing, which browsers accept.

We keep all other replacements intact. No new imports or external libraries are required, and we stay within apps/api/src/services/registryAdapters.ts, modifying only the lines shown.

[Copilot]

Pull request overview

This PR broadly rebrands “Deed Shield” surfaces to “TrustSignal” across documentation, packages, demos, and ops artifacts, while also introducing several substantive runtime/security/registry and circuit-proof changes (despite the PR description claiming docs-only scope).

Changes:

• Rebrand identifiers and public-facing messaging across docs, packages, demo UI, and monitoring artifacts.
• Update API/server behavior: revocation pre-handler, API-key fingerprinting, rate-limit configuration, env loading changes, and expanded registry adapter/snapshot logic with new tests and schema/db updates.
• Add/adjust repo guardrails and CI/security workflows (Trivy, dependency review, zizmor) plus CODEOWNERS and gitignore updates.

Reviewed changes

Copilot reviewed 62 out of 66 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
trustsignal_tests.sh	Adds a bash-based API test runner for ingest/verify flows.
src/routes/verify.ts	Adds per-route rate limiting config for /v1/verify-bundle.
src/api/verify.js	Rebrands legacy demo HTML title/header.
sdk/index.ts	Replaces regex trailing-slash removal with a helper function.
packages/core/src/receiptSigner.test.ts	Updates tests to use trustsignal verifierId.
packages/core/src/receipt.ts	Changes default verifierId to trustsignal.
packages/core/package.json	Renames package scope to @trustsignal/core.
packages/contracts/package.json	Renames package scope to @trustsignal/contracts.
packages/README.md	Updates workspace package naming guidance.
package.json	Renames repo/package name to trustsignal.
package-lock.json	Updates workspace names and links for renamed packages.
ml/model/pycache/common.cpython-314.pyc	Adds a Python bytecode artifact (should be excluded).
docs/security-summary.md	Rewrites public security summary opening + audience section.
docs/public-private-boundary.md	Updates public/private boundary framing and guardrails text.
docs/partner-eval/integration-model.md	Updates wording from DeedShield to TrustSignal surface.
docs/ops/monitoring/grafana-dashboard-deedshield-api.json	Rebrands dashboard title.
docs/ops/monitoring/alert-rules.yml	Rebrands alert names (expressions remain deedshield-prefixed).
docs/ops/monitoring/README.md	Rebrands monitoring README wording.
docs/legal/terms-of-service.md	Updates product/module naming in legal terms.
docs/legal/privacy-policy.md	Updates naming and scope wording.
docs/legal/pilot-agreement.md	Updates pilot program naming.
docs/legal/cookie-policy.md	Updates naming for cookie policy.
docs/final/14_VANTA_INTEGRATION_USE_CASE.md	Rebrands “module” fields and vertical naming.
docs/final/11_NSF_GRANT_WHITEPAPER.md	Removes DeedShield wedge naming from abstract.
docs/final/10_INCIDENT_ESCALATION_AND_SLO_BASELINE.md	Rebrands scope statement.
docs/final/01_EXECUTIVE_SUMMARY.md	Rebrands title and product-position language.
docs/customer/pilot-handbook.md	Rebrands pilot handbook welcome text.
docs/compliance/kpmg-evidence-index.md	Adds machine-generated evidence index doc.
docs/compliance/kpmg-enterprise-readiness-validation-report.md	Adds machine-generated readiness validation report.
docs/compliance/kpmg-enterprise-audit-runbook.md	Adds audit runbook for diligence execution.
docs/IT_INSTALLATION_MANUAL.md	Rebrands installation manual and PRIA mapping language.
docs/IMPLEMENTATION_PLAN_PASSIVE_INSPECTOR.md	Rebrands watcher plan references + package scope.
docs/CANONICAL_MESSAGING.md	Adjusts canonical messaging guidance wording.
circuits/non_mem_gadget/src/revocation.rs	Switches revocation prove path to shared proof helper.
circuits/non_mem_gadget/src/lib.rs	Replaces MockProver with create/verify proof flow helper.
bench/run-bench.ts	Updates benchmark receipt builder verifierId.
apps/web/src/contexts/OperatorContext.tsx	Migrates localStorage key from deed-shield to trustsignal.
apps/web/src/app/verify-artifact/page.tsx	Replaces page with redirect alias to /verify.
apps/web/package.json	Renames package to @trustsignal/web.
apps/watcher/src/index.js	Rebrands watcher log strings and notification titles.
apps/api/src/services/registryAdapters.ts	Expands registry sources, adds snapshots, new provider types, job metadata, and test hooks.
apps/api/src/services/compliance.ts	Updates/duplicates system prompt wording.
apps/api/src/server.ts	Rebrands verifierId/service name, refactors revocation auth handling, adjusts per-route rate limit config.
apps/api/src/security.ts	Switches API-key fingerprinting to HMAC + adds revocation auth context typing.
apps/api/src/security-hardening.test.ts	Adds stronger revocation negative/edge-case coverage.
apps/api/src/registryLoader.test.ts	Updates imports to @trustsignal/core.
apps/api/src/registry-adapters.test.ts	Expands expected registry source IDs list.
apps/api/src/registry-adapters-new-sources.test.ts	Adds new test coverage for new registry sources and snapshot behavior.
apps/api/src/env.ts	Switches env loading to dotenv + expands DB URL resolution logic.
apps/api/src/db.ts	Adds DB columns for accessType/jobType/snapshot metadata.
apps/api/prisma/schema.prisma	Adds Prisma fields for RegistrySource/accessType and RegistryOracleJob metadata.
apps/api/package.json	Renames package and updates core dependency scope.
apps/api/SETUP.md	Rebrands setup doc and docker container naming.
apps/api/.env.example	Adds env vars for new registry sources + snapshot dir.
USER_MANUAL.md	Rebrands user manual language.
SECURITY_CHECKLIST.md	Rebrands checklist title and references.
README.md	Rewrites intro and updates links/auth guidance (now claims bearer-token flow).
.gitignore	Adds Python cache/pyc ignore patterns.
.github/workflows/zizmor.yml	Adds zizmor advisory workflow audit job.
.github/workflows/trivy.yml	Adds Trivy filesystem scanning with SARIF upload.
.github/workflows/main.yml	Pins checkout action and adds minimal permissions block.
.github/workflows/dependency-review.yml	Adds dependency diff review workflow.
.github/workflows/copilotsetupsteps.yml	Pins actions and adds workflow permissions.
.github/workflows/ci.yml	Pins actions and adds workflow permissions.
.github/CODEOWNERS	Adds CODEOWNERS entries for repo areas.

Comments suppressed due to low confidence (1)

docs/ops/monitoring/alert-rules.yml:77

• Alert names were rebranded to TrustSignal*, but the rule expressions and labels still reference deedshield_* metrics and service: deedshield-api. If the intent is a full rename, these should be updated together (or keep the legacy alert names) to avoid confusion and broken alerting when metric/service naming diverges.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The test script hard-codes an API key value in-repo. Even if this is a non-production key, committing it risks accidental reuse and will trigger secret scanners. Prefer reading API_KEY from the environment (or prompting) and fail with a clear message when it’s missing.

[Copilot]

The README’s curl example uses Authorization: Bearer $TRUSTSIGNAL_ACCESS_TOKEN, but the /api/v1/verify route in apps/api/src/server.ts is guarded by requireApiKeyScope (expects x-api-key). Either update the docs back to x-api-key for this API surface, or implement bearer-token auth in the server so the example matches reality.

[Copilot]

For snapshot-backed sources, buildMatches(subject, snapshot.candidates) is computed twice (once to determine status and again for the returned matches). This repeats scoring/sorting work unnecessarily; compute it once and reuse the result for both status and matches.

Suggested change

	return {
	status: buildMatches(subject, snapshot.candidates).length > 0 ? 'MATCH' : 'NO_MATCH',
	matches: buildMatches(subject, snapshot.candidates),
	const matches = buildMatches(subject, snapshot.candidates);
	return {
	status: matches.length > 0 ? 'MATCH' : 'NO_MATCH',
	matches,

[Copilot]

The default snapshot directory is derived from __dirname. This will resolve to different locations when running via tsx (src) vs node dist (dist), which can lead to snapshots being written under dist/ in production. Prefer a stable default like process.cwd() (still overridable via REGISTRY_SNAPSHOT_DIR) so snapshot storage is consistent across run modes.

[Copilot]

The Cook County system prompt now contains two consecutive sentences starting with “You are an AI assistant integrated into TrustSignal...” with slightly different product descriptions. This duplication is likely accidental and can dilute prompt clarity; keep a single canonical version.

Suggested change

You are an AI assistant integrated into TrustSignal, an evidence verification and title workflow automation platform. Your primary responsibility is to validate real estate documents against Cook County Clerk's Office recording requirements and identify policy mismatches before submission.

[Copilot]

This report includes absolute local paths (e.g., /Users/.../coverage/coverage-summary.json). These paths won’t exist for other readers and may leak workstation details; prefer repo-relative paths or describe outputs in a location-agnostic way.

[Copilot]

PR description says this is docs-only with no runtime changes, but this PR includes substantive code-path changes (API auth/rate limiting/registry adapters, Rust proof generation, package renames). Please update the PR title/description/scope or split into smaller PRs so reviewers can assess runtime impact appropriately.

[Copilot]

This doc references npm run check:api-boundary, but there doesn’t appear to be any script/command with that name in the repo. Either add the script (and describe where it lives) or adjust the guardrails section to reference an actual enforced check so readers don’t assume a protection exists when it doesn’t.

[Copilot]

This file contains absolute local machine paths (e.g., /Users/...) which are not portable and leak developer workstation details into the repo. Replace with repo-relative links/paths (or remove the path references) so the document is usable for external reviewers.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e4bffa380f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve legacy verifierId when hydrating stored receipts

Changing the reconstructed verifierId to trustsignal for every row breaks verification of receipts created before the rebrand (which were signed with deed-shield). verifyStoredReceipt recomputes the unsigned payload hash/signature from this reconstructed object, so historical records will now fail integrity/signature checks even though the stored receipt data is otherwise unchanged.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Assign raw Supabase password instead of encoded string

In the Supabase pooler fallback path, URL.password is being set to encodeURIComponent(supabasePassword), but URL.password already handles percent-encoding. This double-encodes credentials containing reserved characters (for example % becoming %25 again), which produces an invalid DATABASE_URL and can cause authentication failures when connecting to Postgres.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep /verify-artifact mapped to artifact verification UI

This redirect removes the dedicated artifact-verification flow from /verify-artifact and sends users to /verify, which is a different bundle-verification path. Since ArtifactVerifyClient is no longer mounted by any page, existing links/bookmarks for local artifact fingerprint verification now lose that functionality.

Useful? React with 👍 / 👎.

In general, to fix missing rate limiting on an authorization-related route in a Fastify app, you configure the @fastify/rate-limit plugin globally (already present in this project) and add per-route config.rateLimit settings so that expensive or security-sensitive handlers cannot be abused via high request volumes. Here, we should add a rateLimit configuration to the /api/v1/auth/logout route, similar in spirit to the existing login rate limit on /api/v1/auth/login, but with appropriately relaxed limits since logout is cheaper.

Concretely, in apps/api/src/server.ts, locate the app.post('/api/v1/auth/logout', async (request, reply) => { ... }); definition around lines 1693–1709. Change this route definition to use the Fastify options object form with a config property that specifies a rateLimit block, analogous to the login handler above. For example, we can allow a higher volume of logouts (e.g., max: 60 per minute per IP) to avoid impacting normal users while still mitigating abuse. The plugin import already exists (import rateLimit from '@fastify/rate-limit';), and no new helper methods are needed; we only add the route-level configuration object between the path string and the async handler. No other files or lines need to be modified.

In general, the problem is fixed by applying appropriate rate limiting to HTTP handlers that perform authorization or other expensive operations, so that a single client cannot overwhelm the service with repeated requests. This project already uses Fastify’s @fastify/rate-limit plugin and defines a perApiKeyRateLimit configuration that is applied to other sensitive routes; the best fix is to apply the same pattern to the OAuth consent POST route.

Concretely, in apps/api/src/server.ts, locate the app.post('/api/v1/oauth/authorize/consent', ...) definition around line 1819. Currently it is declared with only the URL and the handler function. We should change it to use the object‑form route options, adding config: { rateLimit: perApiKeyRateLimit } (or another appropriate limiter that is already defined in this file) so that Fastify’s rate‑limit plugin will enforce limits on this endpoint. The project already imports and uses rateLimit and perApiKeyRateLimit elsewhere (e.g., for /api/v1/clients/:clientId/keys), so no new imports or helper definitions are required—just adding the config property to this route’s options.

This keeps existing functionality and behavior intact: the handler logic remains unchanged; we only add metadata for Fastify’s route options. All listed alert variants (1–1e) are addressed because they refer to calls within this same handler, and rate limiting at the route level protects all of them.

In general, to fix missing rate limiting on a security‑sensitive route in a Fastify app, you ensure that: (1) the @fastify/rate-limit plugin is registered on the Fastify instance; and (2) the route is configured with an appropriate config.rateLimit or included within a rate‑limited scope. For consistency and least surprise, it’s best to reuse an existing, well‑vetted rate‑limit policy (such as perApiKeyRateLimit) that is already used for other OAuth‑related endpoints in this file.

For this specific code, the /api/v1/token route already has a custom, per‑IP rate limit configuration. Other OAuth endpoints nearby (/api/v1/introspect, /api/v1/clients/:clientId/revoke) use config: { rateLimit: perApiKeyRateLimit }, which is likely the intended policy for authenticated API clients. To fix the CodeQL finding and align with existing security patterns without changing semantics elsewhere, we should replace the ad‑hoc rateLimit configuration on /api/v1/token with perApiKeyRateLimit. This keeps behavior coherent and guarantees that the handler is clearly rate‑limited in the same way as related authorization endpoints.

Concretely:

• In apps/api/src/server.ts, locate the app.post('/api/v1/token', { config: { rateLimit: { ... } } }, ...) definition around line 2133.
• Replace the inner rateLimit object (max/timeWindow/keyGenerator) with perApiKeyRateLimit, matching how /api/v1/introspect and /api/v1/clients/:clientId/revoke are configured.
• No new imports or helpers are needed because perApiKeyRateLimit is already in scope and used in this file.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0ef74a34bc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require auth on client lookup endpoint

This route is publicly reachable and returns client IDs/scopes for any userEmail query, so an unauthenticated caller can enumerate another tenant’s registered clients just by knowing or guessing an email address. Given that other client-management routes enforce API-key ownership checks, leaving GET /api/v1/clients unauthenticated creates an avoidable data-exposure path and weakens least-privilege controls.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Remove committed API key from test script

A concrete API key value is hardcoded in-repo, which risks credential leakage and accidental unauthorized use if the token is valid in any environment. Even if intended for testing, committing a real-looking secret violates secret-handling controls and should be replaced with an environment variable or placeholder so no sensitive token is stored in source history.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Provide access-token config before issuing tokens

The token endpoint now passes securityConfig.accessTokens into issueAccessToken, but buildSecurityConfig (in apps/api/src/security.ts) does not construct an accessTokens field, so this value is undefined. As soon as a valid OAuth flow reaches token issuance, issueAccessToken dereferences input.accessTokenConfig.current and fails, turning successful authorization-code/client-credentials exchanges into server errors.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5734649049

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Accept bearer tokens in protected-route auth chain

The new OAuth flow issues Bearer access tokens, but all protected endpoints are still guarded by authPreHandlers that call requireApiKeyScope, which only authenticates x-api-key and never inspects Authorization headers (see apps/api/src/security.ts). In practice, clients can successfully mint tokens from /api/v1/token but cannot use them on routes like /api/v1/verify or /api/v1/receipts, so the new token-based auth path is nonfunctional until bearer-token validation is wired into these prehandlers.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Constrain remote JWKS URLs to prevent SSRF

Client assertions are verified with createRemoteJWKSet(new URL(client.jwksUrl)), which causes server-side HTTP fetches to a URL controlled by client registration data. Since this commit also allows self-service client registration with jwksUrl, an attacker can register internal/private endpoints as JWKS and force outbound requests during token exchange, creating an SSRF path. Restrict jwksUrl to trusted HTTPS domains (or require uploaded JWKS) before using remote key sets.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Reject unknown requested scopes instead of over-granting

resolveGrantedScopes currently treats any parsed-empty requested scope set as equivalent to “no scope requested” and grants all allowed scopes. Because parseScopeSet drops unsupported scope tokens, requests like scope=foo can unintentionally receive full default scopes instead of invalid_scope, which over-grants permissions on malformed/typoed OAuth requests and breaks least-privilege behavior.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Copilot reviewed 67 out of 71 changed files in this pull request and generated 14 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This report embeds absolute local paths (e.g., /Users/christopher/Projects/...) in multiple places. These paths aren’t portable and expose local environment details; please convert them to repo-relative paths (or remove them) so the document remains usable in other environments.

[Copilot]

createIngestJob also uses as never for the Prisma create payload, which disables compile-time validation for required/optional fields. Please replace this with a properly typed Prisma input (or fix client generation) so schema changes don’t silently break job creation.

[Copilot]

RedisAssertionReplayStore.reserve() opens a new TCP/TLS connection to Redis for every reservation, authenticates/selects DB, issues a single command, and then destroys the socket. At moderate QPS this will be slow and can exhaust Redis/client resources. Please use a real Redis client with connection pooling (or keep a persistent connection) and add timeouts/retry/backoff behavior appropriate for auth-path dependencies.

[Copilot]

This script commits what looks like a real API key (API_KEY=...). Even for test suites, secrets must not be checked into the repo. Please change this to read from an environment variable (or a local .env file) and update the script to fail with a clear message when the key is missing; also rotate/revoke the exposed key if it was valid.

[Copilot]

This PR is labeled/docs-described as having “No code-path or runtime behavior changes”, but it includes substantial runtime changes (new auth/token/OAuth flows, DB schema/migrations, rate limiting, registry adapter behavior, Rust proof generation changes, etc.). Please update the PR description/scope or split this into separate PRs so reviewers can assess the behavioral changes appropriately.

[Copilot]

This file now defines significant schema (Client/OAuth/etc.) via runtime CREATE TABLE/ALTER TABLE statements, while the same schema is also introduced via Prisma migrations in this PR. Maintaining both as sources of truth is likely to drift over time and can create subtle environment differences (depending on whether migrations run). Consider consolidating on one mechanism (preferably migrations) or generating the runtime bootstrap from the migration history to guarantee they stay identical.

[Copilot]

This doc includes absolute local filesystem paths (e.g., /Users/christopher/...) which won’t resolve for other readers and leaks local machine details into the repo. Please replace these with repo-relative paths/links (or remove them) and keep any machine-specific artifact locations out of committed documentation.

[Copilot]

PrismaAssertionReplayStore.reserve() deletes all expired nonces on every call. Even with an index, this adds an extra write query to a latency-sensitive token path and can create avoidable DB churn. Consider moving cleanup to a periodic job (or doing opportunistic cleanup with a low probability / bounded batch size).

Suggested change

	await this.prisma.clientAssertionNonce.deleteMany({
	where: {
	expiresAt: {
	lt: new Date()
	}
	}
	});
	// Opportunistic cleanup: avoid running a write-heavy delete on every call
	// to keep the latency-sensitive token path fast. Expired nonces are still
	// cleaned up over time without adding churn to every request.
	if (Math.random() < 0.01) {
	await this.prisma.clientAssertionNonce.deleteMany({
	where: {
	expiresAt: {
	lt: new Date()
	}
	}
	});
	}

[Copilot]

The root package.json declares engines.node = 20.x, but this CI job sets node-version: 22. This can introduce hard-to-debug differences between CI and supported runtime (and may produce engine warnings or break builds). Please align this to Node 20 unless there’s a specific reason to test Node 22 here (in which case, consider testing both explicitly).

Suggested change

	node-version: 22
	node-version: '20'

[Copilot]

UserAccount.passwordHash/passwordSalt are created with NOT NULL DEFAULT '' here, but the Prisma migration adds these as required fields without defaults. Defaulting to empty strings can permit creating user records without a real password hash/salt and makes the runtime-bootstrapped schema diverge from the migrated schema. Please align the DDL with the Prisma schema/migrations and avoid insecure defaults for credential fields.

Suggested change

	"passwordHash" TEXT NOT NULL DEFAULT '',
	"passwordSalt" TEXT NOT NULL DEFAULT '',
	"passwordHash" TEXT NOT NULL,
	"passwordSalt" TEXT NOT NULL,