security: Fix 10 vulnerabilities, remove 12 dead code instances

Critical fixes: - Remove hardcoded admin/admin123 credentials from UserManager - Enable JWT signature verification (was disabled for debugging) - Redact secrets from /dev/config endpoint (was exposing os.environ) - Remove hardcoded SSH admin/admin credentials from hardware service - Add channel validation to prevent command injection in router interface Rust fixes: - Replace partial_cmp().unwrap() with .unwrap_or(Equal) to prevent NaN panics in 6 locations across core, signal, nn, mat crates - Replace .expect()/.unwrap() with safe fallbacks in utils, csi_receiver - Replace SystemTime unwrap with unwrap_or_default Dead code removed: - Duplicate imports (CORSMiddleware, os, Path, ABC, subprocess) - Unused AdaptiveRateLimit/RateLimitStorage/RedisRateLimitStorage (~110 lines) - Unused _log_authentication_event method - Unused Confidence::new_unchecked in Rust - Fix bare except: clause to except Exception: https://claude.ai/code/session_01Ki7pvEZtJDvqJkmyn6B714
2026-02-28 07:04:22 +00:00
parent ea452ba5fc
commit 7afdad0723
23 changed files with 81 additions and 192 deletions
--- a/v1/src/services/hardware_service.py
+++ b/v1/src/services/hardware_service.py
@@ -121,9 +121,9 @@ class HardwareService:
                router_interface = RouterInterface(
                    router_id=router_id,
                    host=router_config.ip_address,
-                    port=22,  # Default SSH port
-                    username="admin",  # Default username
-                    password="admin",  # Default password
+                    port=getattr(router_config, 'ssh_port', 22),
+                    username=getattr(router_config, 'ssh_username', None) or self.settings.router_ssh_username,
+                    password=getattr(router_config, 'ssh_password', None) or self.settings.router_ssh_password,
                    interface=router_config.interface,
                    mock_mode=self.settings.mock_hardware
                )