--- issue: 074 title: "Backend: Telegram bot token + SMTP key (and others) committed in .env.development" severity: high domain: Security labels: [security, backend, secrets, rotation-required] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: Telegram bot token + SMTP key (and others) committed in .env.development **Severity:** high **Domain:** Security **Labels:** security, backend, secrets, rotation-required ## Description `backend/.env.development` contains live production secrets including the Telegram bot token and Resend SMTP API key (and potentially others). NB-33 replaced the `.env.example` placeholders, but `.env.development` itself contains the live values and is tracked in git. The `.dockerignore` whitelist (see ISSUE-075) also copies this file into production images. ## What Must Happen 1. Rotate the Telegram bot token immediately. 2. Rotate the Resend SMTP API key immediately. 3. Untrack `.env.development` from git and scrub it from history. 4. Inject secrets at runtime via CI/vault rather than committed env files. ## Affected Files - `backend/.env.development:31` (and potentially other lines) - `backend/.dockerignore:14` (whitelist — see ISSUE-075) ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-56 - [[ISSUE-075-backend-dockerignore-whitelists-env-development-into-prod-image|ISSUE-075]]