diff --git a/graph/fixes/fix-7-security-issues-in-major-domo-v2-hardcoded-key-url-enc-04acc9.md b/graph/fixes/fix-7-security-issues-in-major-domo-v2-hardcoded-key-url-enc-04acc9.md
new file mode 100644
index 00000000000..a49b99a05e6
--- /dev/null
+++ b/graph/fixes/fix-7-security-issues-in-major-domo-v2-hardcoded-key-url-enc-04acc9.md
@@ -0,0 +1,53 @@
+---
+id: 04acc924-feff-41fe-a4f5-b7accc1d04ee
+type: fix
+title: "Fix: 7 security issues in major-domo-v2 - hardcoded key, URL encoding, error leaks, bare excepts, guild guard, md5"
+tags: [major-domo, security, discord-bot, fix, python, gitea]
+importance: 0.8
+confidence: 0.8
+created: "2026-02-20T16:50:22.694706+00:00"
+updated: "2026-02-20T16:50:22.694706+00:00"
+---
+
+# Security Fixes Batch: major-domo discord-app-v2
+
+**Commit:** `f4be20a` on `fix/security-issues` branch, merged into `next-release`
+**Date:** 2026-02-20
+
+## Issues Fixed
+
+### #19 - Hardcoded Giphy API key removed
+- Was: `H86xibttEuUcslgmMM6uu74IgLEZ7UOD` hardcoded in `config.py`
+- Fix: Now loaded from `GIPHY_API_KEY` env var with empty string default
+- Key moved to `.env` (gitignored), `.env.example` updated
+- **Production action required:** Add `GIPHY_API_KEY` to Akamai server env vars before deploying
+
+### #20 - URL parameter injection in APIClient
+- File: `APIClient._add_params()`
+- Fix: URL-encoded query parameter keys and values using `urllib.parse.quote()`
+
+### #21 - Giphy search phrase injection
+- Files: `get_disappointment_gif()` and `get_gif()` methods
+- Fix: URL-encoded search phrases before passing to Giphy API
+
+### #22 - Internal exception messages leaking to Discord users
+- Files: `transaction_embed.py`, `submit_scorecard.py`
+- Was: `str(e)` sent directly to Discord embed
+- Fix: Replaced with generic error messages
+
+### #23 - Bare `except:` clauses replaced
+- Files: `transaction_freeze.py`, `transaction_embed.py`, `submit_scorecard.py`
+- Replaced 7 bare `except:` with `except Exception:`
+
+### #24 - Missing guild guard in role check
+- File: `injuries/management.py` → `has_player_role()`
+- Fix: Added `if interaction.guild is None: return False` guard before guild access
+
+### #32 - MD5 replaced with SHA-256 for command hash
+- File: `bot.py` → `_should_sync_commands()` and `_save_command_hash()`
+- Was: `hashlib.md5()` (cryptographically weak)
+- Fix: `hashlib.sha256()`
+
+## Production Checklist
+- Add `GIPHY_API_KEY` env var to Akamai server (`ssh akamai` → edit `container-data/major-domo/.env`)
+- Deploy after `next-release` merges to `main`