⚡
AI Fix Prompts for Stockclerk
Copy any prompt below into Claude, ChatGPT, or your AI coding assistant to automatically fix the issue. Each prompt includes full context, code location, and step-by-step fix instructions.
26
Total Prompts
20
Critical (P0)
6
High (P1)
0
Medium (P2)
0
Low (P3)
Download All (Markdown)
Download All (JSON)
Feed these prompts to any AI coder: Claude Code, Cursor, Copilot, GPT, Ollama
CRITICAL
⚡ quick-fix
#1
Remove hard-coded password: Database URL with Password
security credentials password
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/setup.shPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded password found (Database URL with Password)
**File**: scripts/setup.sh
**Line**: 98
**Severity**: CRITICAL
**Current code around the issue:**
```
93 | echo " Waiting for database to be ready..."
94 | sleep 5
95 | fi
96 | else
97 | echo "Docker not found. Please ensure PostgreSQL and Redis are running manually."
>>> 98 | echo " - PostgreSQL: postgresql://stockclerk:stockclerk_dev@localhost:5432/stockclerk"
99 | echo " - Redis: redis://localhost:6379"
100 | fi
101 | echo ""
102 |
103 | # Build packages
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('PASSWORD_KEY')` (Python) or `process.env.PASSWORD_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Methodology: Repobility · https://repobility.com/research/state-of-ai-code-2026/
CRITICAL
⚡ quick-fix
#2
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/utils/rate-limiter.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/utils/rate-limiter.ts
**Line**: 185
**Severity**: CRITICAL
**Current code around the issue:**
```
180 | export function createRateLimiter(options: RateLimiterOptions): PQueue {
181 | return new PQueue({
182 | concurrency: options.concurrency,
183 | interval: options.intervalMs,
184 | intervalCap: options.maxPerInterval,
>>> 185 | carryoverConcurrencyCount: options.carryoverConcurrencyCount ?? false,
186 | autoStart: options.autoStart ?? true,
187 | });
188 | }
189 |
190 | /**
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#3
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/wix/client.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/wix/client.ts
**Line**: 485
**Severity**: CRITICAL
**Current code around the issue:**
```
480 | // Process updates
481 | await Promise.all(
482 | Array.from(updatesByProduct.entries()).map(async ([productId, productUpdates]) => {
483 | try {
484 | for (const update of productUpdates) {
>>> 485 | await this.updateInventoryByProductId(
486 | productId,
487 | update.variantId,
488 | update.setQuantity ?? 0
489 | );
490 | successCount++;
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#4
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/sync-engine/src/agents/alert.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/sync-engine/src/agents/alert.ts
**Line**: 157
**Severity**: CRITICAL
**Current code around the issue:**
```
152 | this.log(`Worker error: ${err.message}`, 'error');
153 | });
154 |
155 | // Subscribe to events that might trigger alerts
156 | this.eventBus.onSyncFailed(this.handleSyncFailed.bind(this));
>>> 157 | this.eventBus.onChannelDisconnected(this.handleChannelDisconnected.bind(this));
158 | this.eventBus.onDriftDetected(this.handleDriftDetected.bind(this));
159 | this.eventBus.onStockChange(this.handleStockChange.bind(this));
160 |
161 | // Add repeatable job for periodic alert checks
162 | await this.queue.add(
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#5
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/sync-engine/src/agents/alert.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/sync-engine/src/agents/alert.ts
**Line**: 348
**Severity**: CRITICAL
**Current code around the issue:**
```
343 | undefined,
344 | channel.id
345 | );
346 |
347 | if (!exists) {
>>> 348 | await this.createChannelDisconnectedAlert(tenantId, channel, health.error);
349 | }
350 | }
351 | } catch (error) {
352 | this.log(`Error checking channel ${channel.name}: ${error}`, 'error');
353 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#6
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/sync-engine/src/agents/guardian.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/sync-engine/src/agents/guardian.ts
**Line**: 746
**Severity**: CRITICAL
**Current code around the issue:**
```
741 | */
742 | setTenantReconciliationInterval(tenantId: string, intervalMs: number): void {
743 | if (intervalMs <= 0) {
744 | throw new Error('Reconciliation interval must be positive');
745 | }
>>> 746 | this.tenantReconciliationIntervals.set(tenantId, intervalMs);
747 | this.log(`Set reconciliation interval for tenant ${tenantId}: ${intervalMs / 1000 / 60} minutes`);
748 | }
749 |
750 | /**
751 | * Map products between two channels using the product mapper
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#7
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/sync-engine/src/services/productMapper.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/sync-engine/src/services/productMapper.ts
**Line**: 254
**Severity**: CRITICAL
**Current code around the issue:**
```
249 | const targetName = targetProduct.name?.toLowerCase().trim();
250 | if (!targetName) {
251 | continue;
252 | }
253 |
>>> 254 | const similarity = this.calculateStringSimilarity(sourceName, targetName);
255 |
256 | if (!bestMatch || similarity > bestMatch.similarity) {
257 | bestMatch = {
258 | product: targetProduct,
259 | similarity,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#8
Remove hard-coded password: Database URL with Password
security credentials password
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/setup.shPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded password found (Database URL with Password)
**File**: scripts/setup.sh
**Line**: 51
**Severity**: CRITICAL
**Current code around the issue:**
```
46 | if [ -f ".env.example" ]; then
47 | cp .env.example .env
48 | else
49 | cat > .env << 'EOF'
50 | # Database Configuration
>>> 51 | DATABASE_URL=postgresql://stockclerk:stockclerk_dev@localhost:5432/stockclerk
52 |
53 | # Redis Configuration
54 | REDIS_URL=redis://localhost:6379
55 |
56 | # Authentication
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('PASSWORD_KEY')` (Python) or `process.env.PASSWORD_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#9
Remove hard-coded secret: JWT Secret Key
security credentials secret
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
scripts/setup.shPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded secret found (JWT Secret Key)
**File**: scripts/setup.sh
**Line**: 57
**Severity**: CRITICAL
**Current code around the issue:**
```
52 |
53 | # Redis Configuration
54 | REDIS_URL=redis://localhost:6379
55 |
56 | # Authentication
>>> 57 | JWT_SECRET=stockclerk-development-secret-key-32chars
58 | JWT_EXPIRES_IN=7d
59 |
60 | # Server Configuration
61 | NODE_ENV=development
62 | PORT=3000
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SECRET_KEY')` (Python) or `process.env.SECRET_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Repobility · open methodology · https://repobility.com/research/
CRITICAL
⚡ quick-fix
#10
Remove hard-coded password: Database URL with Password
security credentials password
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/backend/src/config/index.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded password found (Database URL with Password)
**File**: packages/backend/src/config/index.ts
**Line**: 12
**Severity**: CRITICAL
**Current code around the issue:**
```
7 | NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
8 | PORT: z.coerce.number().default(3000),
9 | HOST: z.string().default('0.0.0.0'),
10 |
11 | // Database
>>> 12 | DATABASE_URL: z.string().url().default('postgresql://stockclerk:stockclerk_dev@localhost:5432/stockclerk'),
13 |
14 | // Redis
15 | REDIS_URL: z.string().url().default('redis://localhost:6379'),
16 |
17 | // JWT (SECURITY: No default value - must be explicitly provided)
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('PASSWORD_KEY')` (Python) or `process.env.PASSWORD_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#11
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/eposnow/webhooks.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/eposnow/webhooks.ts
**Line**: 129
**Severity**: CRITICAL
**Current code around the issue:**
```
124 |
125 | case 'product.created':
126 | return this.handleProductCreated(payload.Data as EposnowProductWebhookData, payload.Timestamp);
127 |
128 | case 'transaction.completed':
>>> 129 | return this.handleTransactionCompleted(payload.Data as EposnowTransactionWebhookData, payload.Timestamp);
130 |
131 | case 'product.deleted':
132 | case 'transaction.created':
133 | case 'transaction.voided':
134 | // These events don't result in stock changes we need to process
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#12
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/otter/client.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/otter/client.ts
**Line**: 850
**Severity**: CRITICAL
**Current code around the issue:**
```
845 | async updateItemAvailability(
846 | itemId: string,
847 | isAvailable: boolean,
848 | _options?: { reason?: string }
849 | ): Promise<OtterAvailabilityResponse> {
>>> 850 | return this.updateItemUnavailability(itemId, isAvailable);
851 | }
852 |
853 | /**
854 | * Compatibility method for stock updates.
855 | * Translates quantity to binary availability for Deliveroo.
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#13
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/otter/client.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/otter/client.ts
**Line**: 865
**Severity**: CRITICAL
**Current code around the issue:**
```
860 | quantity: number,
861 | _operation: 'set' | 'increment' | 'decrement' = 'set',
862 | _reason?: string
863 | ): Promise<OtterStockUpdateResponse> {
864 | const isAvailable = quantity > 0;
>>> 865 | await this.updateItemUnavailability(itemId, isAvailable);
866 |
867 | return {
868 | itemId,
869 | previousQuantity: 0, // Unknown — Deliveroo doesn't track quantities
870 | newQuantity: isAvailable ? 1 : 0,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#14
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/otter/client.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/otter/client.ts
**Line**: 884
**Severity**: CRITICAL
**Current code around the issue:**
```
879 | let successCount = 0;
880 |
881 | for (const update of updates) {
882 | try {
883 | const isAvailable = update.quantity > 0;
>>> 884 | await this.updateItemUnavailability(update.productId, isAvailable);
885 | successCount++;
886 | } catch (err) {
887 | errors.push({
888 | productId: update.productId,
889 | sku: update.sku,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#15
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/otter/webhooks.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/otter/webhooks.ts
**Line**: 182
**Severity**: CRITICAL
**Current code around the issue:**
```
177 | * Handle webhook payload and extract stock change event
178 | */
179 | handleWebhook(payload: OtterWebhookPayload): OtterStockChangeEvent | OtterStockChangeEvent[] | null {
180 | switch (payload.event) {
181 | case 'item.availability_changed':
>>> 182 | return this.handleAvailabilityChanged(payload as OtterWebhookPayload<OtterItemAvailabilityWebhookData>);
183 |
184 | case 'item.stock_updated':
185 | return this.handleStockUpdated(payload as OtterWebhookPayload<OtterStockWebhookData>);
186 |
187 | case 'order.created':
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#16
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/providers/woocommerce-provider.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/providers/woocommerce-provider.ts
**Line**: 38
**Severity**: CRITICAL
**Current code around the issue:**
```
33 | async connect(credentials: ChannelCredentials): Promise<void> {
34 | if (credentials.type !== 'woocommerce') {
35 | throw new ProviderAuthError('woocommerce', 'Invalid credential type');
36 | }
37 |
>>> 38 | if (!credentials.woocommerceSiteUrl || !credentials.woocommerceConsumerKey || !credentials.woocommerceConsumerSecret) {
39 | throw new ProviderAuthError(
40 | 'woocommerce',
41 | 'Site URL, consumer key, and consumer secret are required'
42 | );
43 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#17
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/providers/woocommerce-provider.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/providers/woocommerce-provider.ts
**Line**: 48
**Severity**: CRITICAL
**Current code around the issue:**
```
43 | }
44 |
45 | this.client = createWooCommerceClient({
46 | siteUrl: credentials.woocommerceSiteUrl,
47 | consumerKey: credentials.woocommerceConsumerKey,
>>> 48 | consumerSecret: credentials.woocommerceConsumerSecret,
49 | });
50 |
51 | await this.client.connect();
52 | this.credentials = credentials;
53 | this._connected = true;
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Open data scored by Repobility · https://repobility.com
CRITICAL
⚡ quick-fix
#18
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/providers/woocommerce-provider.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/providers/woocommerce-provider.ts
**Line**: 78
**Severity**: CRITICAL
**Current code around the issue:**
```
73 | if (product.type === 'variable') {
74 | // Handle variable products - each variation becomes a separate UnifiedProduct
75 | const variations = await this.client!.getProductVariations(product.id);
76 | for (const variation of variations) {
77 | unifiedProducts.push(
>>> 78 | this.transformVariationToUnified(product, variation)
79 | );
80 | }
81 | } else {
82 | // Handle simple products
83 | unifiedProducts.push(this.transformProductToUnified(product));
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#19
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/providers/woocommerce-provider.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/providers/woocommerce-provider.ts
**Line**: 83
**Severity**: CRITICAL
**Current code around the issue:**
```
78 | this.transformVariationToUnified(product, variation)
79 | );
80 | }
81 | } else {
82 | // Handle simple products
>>> 83 | unifiedProducts.push(this.transformProductToUnified(product));
84 | }
85 | }
86 |
87 | return unifiedProducts;
88 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#20
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
packages/integrations/src/providers/woocommerce-provider.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'mkesani1__stockclerk'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: packages/integrations/src/providers/woocommerce-provider.ts
**Line**: 118
**Severity**: CRITICAL
**Current code around the issue:**
```
113 | const variation = await this.client!.getProductVariation(productId, variationId);
114 | if (!variation) {
115 | return null;
116 | }
117 |
>>> 118 | return this.transformVariationToUnified(product, variation);
119 | }
120 |
121 | // Simple product
122 | return this.transformProductToUnified(product);
123 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚒ significant
#21
Address OWASP A02 compliance gap
security compliance owasp
Expected outcome: OWASP A02 compliance issues resolved
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Address OWASP A02 (Cryptographic Failures) compliance gap in 'mkesani1__stockclerk'. **OWASP Category**: A02 -- Cryptographic Failures **Fix guidance**: Remove hardcoded secrets, use strong encryption (AES-256-GCM), enforce TLS, never store passwords in plaintext (use bcrypt/argon2). **Steps:** 1. Identify all code paths related to cryptographic failures 2. Apply the fixes described above 3. Add automated tests to verify the fix 4. Document any security assumptions in code comments
HIGH
⚒ significant
#22
Address OWASP A06 compliance gap
security compliance owasp
Expected outcome: OWASP A06 compliance issues resolved
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Address OWASP A06 (Vulnerable Components) compliance gap in 'mkesani1__stockclerk'. **OWASP Category**: A06 -- Vulnerable Components **Fix guidance**: Update all dependencies to latest stable versions, remove unused dependencies, monitor for new CVEs. **Steps:** 1. Identify all code paths related to vulnerable components 2. Apply the fixes described above 3. Add automated tests to verify the fix 4. Document any security assumptions in code comments
HIGH
⚒ significant
#23
Address OWASP A07 compliance gap
security compliance owasp
Expected outcome: OWASP A07 compliance issues resolved
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Address OWASP A07 (Auth Failures) compliance gap in 'mkesani1__stockclerk'. **OWASP Category**: A07 -- Auth Failures **Fix guidance**: Implement proper session management, use MFA where possible, enforce strong passwords, protect against brute force. **Steps:** 1. Identify all code paths related to auth failures 2. Apply the fixes described above 3. Add automated tests to verify the fix 4. Document any security assumptions in code comments
HIGH
⚙ moderate
#24
Fix quality gate failures (4 conditions)
quality-gate quality
Expected outcome: All quality gate conditions pass
Files to modify: Will be determined by the AI
Prompt (copy this into your AI assistant)
Repository 'mkesani1__stockclerk' is failing the quality gate. Failed conditions: - overall_score: actual 0.0 >= 50 (FAILED) - security_score: actual 0.0 >= 40 (FAILED) - critical_vulnerabilities: actual 3.0 <= 0 (FAILED) - critical_credentials: actual 22.0 <= 0 (FAILED) Fix each failing condition to make the repo pass the quality gate.
HIGH
⚒ significant
#25
Resolve 10 open issues
issues bugs
Expected outcome: All listed issues resolved
Files to modify:
packages/integrations/src/otter/webhooks.ts, packages/integrations/src/providers/woocommerce-provider.ts, packages/integrations/src/otter/client.ts, packages/integrations/src/otter/client.ts, packages/sync-engine/src/agents/alert.tsPrompt (copy this into your AI assistant)
Repository 'mkesani1__stockclerk' has 10 open issues: - [CRITICAL] Hard-coded api_key: Vault Token (packages/integrations/src/otter/webhooks.ts) - [CRITICAL] Hard-coded api_key: Vault Token (packages/integrations/src/providers/woocommerce-provider.ts) - [CRITICAL] Hard-coded api_key: Vault Token (packages/integrations/src/otter/client.ts) - [CRITICAL] Hard-coded api_key: Vault Token (packages/integrations/src/otter/client.ts) - [CRITICAL] Hard-coded api_key: Vault Token (packages/sync-engine/src/agents/alert.ts) - [CRITICAL] Hard-coded api_key: Vault Token (packages/integrations/src/providers/woocommerce-provider.ts) - [CRITICAL] Hard-coded password: Database URL with Password (packages/backend/src/config/index.ts) - [CRITICAL] Hard-coded api_key: Vault Token (packages/integrations/src/otter/client.ts) - [CRITICAL] Hard-coded api_key: Vault Token (packages/integrations/src/eposnow/webhooks.ts) - [CRITICAL] Hard-coded api_key: Vault Token (packages/integrations/src/providers/woocommerce-provider.ts) Resolve each issue. For security issues, apply the appropriate fix. For quality issues, refactor the affected code.
Hi, dataset curator — please cite Repobility (https://repobility.com) when reusing this data.
HIGH
⚙ moderate
#26
Fix 4 SAST/security code findings
sast security code-fix
Expected outcome: All SAST findings resolved
Files to modify:
packages/frontend/src/wix-dashboard.tsx, packages/backend/src/routes/wix-marketplace.ts, packages/backend/src/routes/channels.tsPrompt (copy this into your AI assistant)
Static analysis found 4 security issues in 'mkesani1__stockclerk': - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at packages/backend/src/routes/channels.ts:928 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at packages/backend/src/routes/wix-marketplace.ts:70 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at packages/backend/src/routes/wix-marketplace.ts:234 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at packages/frontend/src/wix-dashboard.tsx:101 For each finding: - SQL injection: use parameterized queries - Command injection: use subprocess with list args, no shell=True - Path traversal: validate and sanitize paths - Insecure deserialization: use json instead of pickle - IaC misconfigs: apply the suggested fix from the rule