diff --git a/.gitignore b/.gitignore
index a7c84269..66ea8e6d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -194,6 +194,7 @@ engine/core/vendors/docs/*
 .initialized
 ./queries
 ./nginx.conf
+monitoring/web.yml
 
 # AI assistants
 .claude/
diff --git a/monitoring/generate_prometheus_password.py b/monitoring/generate_prometheus_password.py
deleted file mode 100644
index 57824c3f..00000000
--- a/monitoring/generate_prometheus_password.py
+++ /dev/null
@@ -1,9 +0,0 @@
-import getpass
-
-import bcrypt
-
-print(
-    bcrypt.hashpw(
-        getpass.getpass("Password: ").encode("utf-8"), bcrypt.gensalt()
-    ).decode()
-)
diff --git a/monitoring/web.yml b/monitoring/web.yml
deleted file mode 100644
index 77702174..00000000
--- a/monitoring/web.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-basic_auth_users:
-  schon: $2b$12$0HraDYmrZnJ089LcH9Vsn.Wv5V5a8oDlucTNm0.5obhULjPyLiYoy
diff --git a/scripts/Unix/install.sh b/scripts/Unix/install.sh
index 7ef3e258..6d6fe9b7 100755
--- a/scripts/Unix/install.sh
+++ b/scripts/Unix/install.sh
@@ -81,6 +81,10 @@ case "$install_choice" in
     fi
     log_success "Images built successfully"
 
+    # Generate Prometheus web config from .env
+    log_step "Generating Prometheus web config..."
+    generate_prometheus_web_config
+
     echo
     log_result "Docker installation complete!"
     log_info "You can now use: make run"
diff --git a/scripts/Unix/restart.sh b/scripts/Unix/restart.sh
index 5c5b94dc..5023ceeb 100755
--- a/scripts/Unix/restart.sh
+++ b/scripts/Unix/restart.sh
@@ -3,6 +3,10 @@ set -euo pipefail
 
 source ./scripts/Unix/starter.sh
 
+# Generate Prometheus web config from .env
+log_step "Generating Prometheus web config..."
+generate_prometheus_web_config
+
 # Shutdown services
 log_step "Shutting down..."
 if ! output=$(docker compose down 2>&1); then
diff --git a/scripts/Unix/run.sh b/scripts/Unix/run.sh
index 26cc9161..0702e4ad 100755
--- a/scripts/Unix/run.sh
+++ b/scripts/Unix/run.sh
@@ -20,6 +20,10 @@ else
   log_warning "jq is not installed; skipping image verification step."
 fi
 
+# Generate Prometheus web config from .env
+log_step "Generating Prometheus web config..."
+generate_prometheus_web_config
+
 # Start services
 log_step "Spinning services up..."
 if ! output=$(docker compose up --no-build --detach --wait 2>&1); then
diff --git a/scripts/Windows/install.ps1 b/scripts/Windows/install.ps1
index 12a59948..e066c89d 100644
--- a/scripts/Windows/install.ps1
+++ b/scripts/Windows/install.ps1
@@ -42,5 +42,9 @@ if ($LASTEXITCODE -ne 0) {
 }
 Write-Success "Images built successfully"
 
+# Generate Prometheus web config from .env
+Write-Step "Generating Prometheus web config..."
+New-PrometheusWebConfig
+
 Write-Result ""
 Write-Result "You can now use run.ps1 script or run: make run"
diff --git a/scripts/Windows/restart.ps1 b/scripts/Windows/restart.ps1
index b16493f7..fd248985 100644
--- a/scripts/Windows/restart.ps1
+++ b/scripts/Windows/restart.ps1
@@ -10,6 +10,10 @@ if ($LASTEXITCODE -ne 0) {
     exit $LASTEXITCODE
 }
 
+# Generate Prometheus web config from .env
+Write-Step "Generating Prometheus web config..."
+New-PrometheusWebConfig
+
 # Shutdown services
 Write-Step "Shutting down..."
 $output = docker compose down 2>&1
diff --git a/scripts/Windows/run.ps1 b/scripts/Windows/run.ps1
index 53e08b91..9c75cf3e 100644
--- a/scripts/Windows/run.ps1
+++ b/scripts/Windows/run.ps1
@@ -35,6 +35,10 @@ foreach ($prop in $config.services.PSObject.Properties)
     Write-Info "  Found image: $image"
 }
 
+# Generate Prometheus web config from .env
+Write-Step "Generating Prometheus web config..."
+New-PrometheusWebConfig
+
 # Start services
 Write-Step "Spinning services up..."
 $output = docker compose up --no-build --detach --wait 2>&1
diff --git a/scripts/lib/utils.ps1 b/scripts/lib/utils.ps1
index bc332c52..e320f22e 100644
--- a/scripts/lib/utils.ps1
+++ b/scripts/lib/utils.ps1
@@ -277,6 +277,43 @@ function Test-SystemRequirements
     return $true
 }
 
+# Generate monitoring/web.yml from PROMETHEUS_USER and PROMETHEUS_PASSWORD in .env
+function New-PrometheusWebConfig
+{
+    if (-not (Test-Path '.env')) { return }
+
+    $envContent = Get-Content '.env'
+    $promUserLine = $envContent | Where-Object { $_ -match '^PROMETHEUS_USER=' } | Select-Object -First 1
+    $promPassLine = $envContent | Where-Object { $_ -match '^PROMETHEUS_PASSWORD=' } | Select-Object -First 1
+
+    if (-not $promUserLine -or -not $promPassLine) {
+        Write-Warning-Custom "PROMETHEUS_USER or PROMETHEUS_PASSWORD not set in .env, skipping web.yml generation"
+        return
+    }
+
+    $promUser = ($promUserLine -replace '^PROMETHEUS_USER=', '').Trim('"')
+    $promPassword = ($promPassLine -replace '^PROMETHEUS_PASSWORD=', '').Trim('"')
+
+    if ([string]::IsNullOrEmpty($promUser) -or [string]::IsNullOrEmpty($promPassword)) {
+        Write-Warning-Custom "PROMETHEUS_USER or PROMETHEUS_PASSWORD is empty, skipping web.yml generation"
+        return
+    }
+
+    $rawHash = docker run --rm httpd:2-alpine htpasswd -nbBC 12 "" "$promPassword" 2>$null
+    if ($LASTEXITCODE -ne 0 -or [string]::IsNullOrEmpty($rawHash)) {
+        Write-Warning-Custom "Failed to generate Prometheus password hash"
+        return
+    }
+
+    # htpasswd outputs ":$2y$..." - strip leading colon and whitespace
+    $hash = $rawHash.TrimStart(':').Trim()
+
+    $content = "basic_auth_users:`n  ${promUser}: ${hash}`n"
+    [System.IO.File]::WriteAllText((Join-Path $PWD 'monitoring/web.yml'), $content)
+
+    Write-Success "Prometheus web config generated"
+}
+
 # Confirm action
 function Confirm-Action
 {
diff --git a/scripts/lib/utils.sh b/scripts/lib/utils.sh
index 2ad2426c..0805f3bf 100644
--- a/scripts/lib/utils.sh
+++ b/scripts/lib/utils.sh
@@ -201,6 +201,41 @@ check_system_requirements() {
     return 0
 }
 
+# Generate monitoring/web.yml from PROMETHEUS_USER and PROMETHEUS_PASSWORD in .env
+generate_prometheus_web_config() {
+  if [ ! -f .env ]; then
+    return 0
+  fi
+
+  local prom_user prom_password
+  prom_user=$(grep '^PROMETHEUS_USER=' .env | head -1 | cut -d= -f2- | tr -d '"')
+  prom_password=$(grep '^PROMETHEUS_PASSWORD=' .env | head -1 | cut -d= -f2- | tr -d '"')
+
+  if [ -z "$prom_user" ] || [ -z "$prom_password" ]; then
+    log_warning "PROMETHEUS_USER or PROMETHEUS_PASSWORD not set in .env, skipping web.yml generation"
+    return 0
+  fi
+
+  local raw_hash hash
+  raw_hash=$(docker run --rm httpd:2-alpine htpasswd -nbBC 12 "" "$prom_password" 2>/dev/null)
+
+  if [ -z "$raw_hash" ]; then
+    log_warning "Failed to generate Prometheus password hash"
+    return 0
+  fi
+
+  # htpasswd outputs ":$2y$..." — strip leading colon and trailing whitespace
+  hash="${raw_hash#:}"
+  hash="${hash%%[[:space:]]*}"
+
+  cat > monitoring/web.yml <<EOF
+basic_auth_users:
+  ${prom_user}: ${hash}
+EOF
+
+  log_success "Prometheus web config generated"
+}
+
 # Confirm action (returns 0 for yes, 1 for no)
 confirm() {
     local prompt="${1:-Are you sure?}"