--- issue: 079 title: "Frontend: Telegram bot token committed in .gitleaks.toml allowlist — must rotate" severity: high domain: Security labels: [security, frontend, secrets, rotation-required] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend: Telegram bot token committed in .gitleaks.toml allowlist — must rotate **Severity:** high **Domain:** Security **Labels:** security, frontend, secrets, rotation-required ## Description `frontend/.gitleaks.toml:15` contains a value-based allowlist entry with the plaintext Telegram bot token. Value-based allowlist entries in gitleaks effectively publish the secret in the allowlist itself. The same token appears in the backend `.env.development` (see ISSUE-074). ## Options 1. Replace the value-based allowlist with a path/commit-hash allowlist and rotate the token. 2. Remove the allowlist entry entirely after scrubbing the secret from source. 3. Use the handle-gitleaks workflow to triage and remediate. ## Recommendation Rotate the token, switch to a non-value-based allowlist (path/fingerprint), and scrub history. Coordinate with backend ISSUE-074 since the same token appears there. ## Affected Files - `frontend/.gitleaks.toml:15` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-78 - [[ISSUE-074-backend-env-development-committed-with-live-telegram-and-smtp-s|ISSUE-074]]