Objective
Harden Odoo startup and data-workflow credential preflight so public non-local Odoo runtimes cannot be exposed with default or missing admin/master credential safety.
Finish Line
Public Odoo runtimes fail closed on unsafe credentials
Current Status
State: Completed by PR #33 and merged to odoo-devkit main. Public/non-local Odoo startup now rejects default master passwords, requires ODOO_ADMIN_PASSWORD, and checks the active admin credential even when no admin override was configured. Local/dev startup can still omit the admin override.
Next action: Done; Launchplane #492 and tenant CM #29 can treat the startup credential preflight blocker as resolved.
Blocked by: none.
Last verified: 2026-05-09; local ruff/format checks passed, uv run python -m unittest discover -s tests passed with 107 tests, PR #33 CI/CodeQL passed, and post-merge main CI/CodeQL passed.
Scope
- Startup wrapper credential policy in
docker/scripts/run_odoo_startup.py.
- Local/remote data workflow credential checks where they can expose or restore data into a public target.
- Tests in
tests/test_odoo_startup.py and related runtime workflow tests.
- Keep local developer loops usable, but require explicit opt-in if local default credentials remain allowed.
Acceptance Criteria
- Missing
ODOO_MASTER_PASSWORD still fails startup.
- Unsafe
ODOO_MASTER_PASSWORD=admin or another documented default fails for non-local/public runtimes.
- Active
admin/admin is rejected even when ODOO_ADMIN_PASSWORD is not configured for non-local/public runtimes.
- Missing
ODOO_ADMIN_PASSWORD fails for preview/testing/prod unless a documented safe bootstrap mode proves the admin user is already hardened.
- Tests cover safe configured admin password, missing admin password on public runtime, active default admin password, and local/dev allowance if retained.
Relationships
- Supports
cbusillo/launchplane#492.
- Supports
cbusillo/odoo-tenant-cm#29 public preview safety.
Validation
uv run python -m unittest tests.test_odoo_startup tests.test_runtime tests.test_remote_runtime.- Broader
uv run python -m unittest before merge.
Decisions
- Default Odoo credentials are not acceptable for public previews, even when CM has no production data yet.
- Credential hardening belongs in devkit startup/data workflow code because that is where Odoo state is initialized and exposed.
Open Questions
- Should public runtime detection use
PLATFORM_INSTANCE != local, a dedicated ODOO_PUBLIC_RUNTIME=1, or Launchplane-supplied preview metadata?
Objective
Harden Odoo startup and data-workflow credential preflight so public non-local Odoo runtimes cannot be exposed with default or missing admin/master credential safety.
Finish Line
Public Odoo runtimes fail closed on unsafe credentials
Current Status
State: Completed by PR #33 and merged to
odoo-devkitmain. Public/non-local Odoo startup now rejects default master passwords, requiresODOO_ADMIN_PASSWORD, and checks the active admin credential even when no admin override was configured. Local/dev startup can still omit the admin override.Next action: Done; Launchplane #492 and tenant CM #29 can treat the startup credential preflight blocker as resolved.
Blocked by: none.
Last verified: 2026-05-09; local ruff/format checks passed,
uv run python -m unittest discover -s testspassed with 107 tests, PR #33 CI/CodeQL passed, and post-merge main CI/CodeQL passed.Scope
docker/scripts/run_odoo_startup.py.tests/test_odoo_startup.pyand related runtime workflow tests.Acceptance Criteria
ODOO_MASTER_PASSWORDstill fails startup.ODOO_MASTER_PASSWORD=adminor another documented default fails for non-local/public runtimes.admin/adminis rejected even whenODOO_ADMIN_PASSWORDis not configured for non-local/public runtimes.ODOO_ADMIN_PASSWORDfails for preview/testing/prod unless a documented safe bootstrap mode proves the admin user is already hardened.Relationships
cbusillo/launchplane#492.cbusillo/odoo-tenant-cm#29public preview safety.Validation
uv run python -m unittest tests.test_odoo_startup tests.test_runtime tests.test_remote_runtime.uv run python -m unittestbefore merge.Decisions
Open Questions
PLATFORM_INSTANCE != local, a dedicatedODOO_PUBLIC_RUNTIME=1, or Launchplane-supplied preview metadata?