Scrub tracked secrets and switch ATVM docs to local credential references

- remove hardcoded credentials, tokens, registration codes, and similar secret values from tracked ATVM and CDS MCP docs
- replace those values with references to /home/aw/code/cds/.env.credentials.local and the corresponding environment variable names
- update current operator guides to instruct sourcing .env.credentials.local before credential-dependent setup and automation workflows
- update the ATVM setup scripts to consume ATVM_TARGET_PASSWORD from the environment instead of hardcoding the Ubuntu root SSH password
- scrub the remaining tracked artifact log entry that still included the old CMC registration code
- keep the local-only credential inventory in .env.credentials.local while leaving that file untracked

atvm/docs/setup/guide.md

@@ -12,7 +12,7 @@ Do not put dated run examples here.
 The setup flow performs a controlled bootstrap across supported Linux distributions:
 1. Validate target host identity using expected IP + expected hostname before any configuration.
 2. Fix repositories (especially CD/DVD media repo entries).
-3. On Ubuntu, configure root SSH password-login workflow (`root/cdsi2012`) for follow-on root operations.
+3. On Ubuntu, configure root SSH password-login workflow using `ATVM_TARGET_PASSWORD` for follow-on root operations.
 4. On Oracle Linux, set default boot kernel to non-UEK when available.
 5. Disable unattended auto-upgrades on Ubuntu.
 6. Remove specific storage-related packages and install base tooling.
@@ -27,10 +27,10 @@ The setup flow performs a controlled bootstrap across supported Linux distributi
 - Shell safety flags: `set -euo pipefail`
 - Logging: colorized console + plain text log file
 - Entry point: `main "$@"`
-- Default operator assumption for setup access: `root / cdsi2012` unless explicitly overridden.
+- Default operator assumption for setup access: source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_TARGET_USER` plus `ATVM_TARGET_PASSWORD` unless explicitly overridden.
 - When the operator refers to `192.168.3.191`, treat it as the default ATVM target host.
 - For SSH to `192.168.3.191`, ignore host key mismatch by default with `-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`.
-- For SSH to `192.168.3.191`, use `root / cdsi2012` unless the operator explicitly provides different credentials.
+- For SSH to `192.168.3.191`, source `/home/aw/code/cds/.env.credentials.local` and use `ATVM_TARGET_USER` plus `ATVM_TARGET_PASSWORD` unless the operator explicitly provides different credentials.
 
 ## Mandatory Identity Gate
 Setup must not start unless operator explicitly provides both values:
@@ -76,7 +76,7 @@ Rules:
 
 ### Ubuntu Root SSH Workflow
 - Ubuntu only.
-- Set root password `cdsi2012`, unlock root account.
+- Require `ATVM_TARGET_PASSWORD` in the environment, then set the root password to that value and unlock the root account.
 - Write `/etc/ssh/sshd_config.d/99-atvm-root-login.conf` enabling root + password auth.
 - Validate config and restart SSH service.
 
@@ -135,6 +135,7 @@ Required post-run validation:
 ## Preferred Execution Commands
 Direct client execution:
 ```bash
+source /home/aw/code/cds/.env.credentials.local
 sudo bash /home/cirrususer/atvm-setup-script.sh \
   --expected-ip <current-client-ip> \
   --expected-hostname <exact-hostname>
@@ -142,12 +143,14 @@ sudo bash /home/cirrususer/atvm-setup-script.sh \
 
 Controller run + collect:
 ```bash
+source /home/aw/code/cds/.env.credentials.local
 EXPECTED_IP_ARG=<current-client-ip> EXPECTED_HOSTNAME_ARG=<exact-hostname> \
 /home/aw/code/cds/atvm/scripts/run-atvm-setup-and-collect-log.sh
 ```
 
 Controller collect-only after client run:
 ```bash
+source /home/aw/code/cds/.env.credentials.local
 /home/aw/code/cds/atvm/scripts/run-atvm-setup-and-collect-log.sh --collect-after-complete
 ```