--- title: C1 Secrets Rotation Checklist - 2026-06-10 tags: [audit, security, secrets, rotation, c1] created: 2026-06-10 status: in-progress --- # C1 Secrets Rotation Checklist - 2026-06-10 ## 1. Tracked env files deployment/.env and deployment/.env.dev are tracked in git. - [ ] Rotate ALL credential values via provider dashboards first - [ ] Create deployment/.env.example and deployment/.env.dev.example with placeholders - [ ] Add deployment/.env and deployment/.env.dev to .gitignore - [ ] Run: git rm --cached deployment/.env deployment/.env.dev - [ ] Commit the removal - [ ] History cleanup only after rotation confirmed ## 2. Test and source files with key-shaped material — triage each For each, triage as real vs fake test fixture: - backend/__tests__/decentralized-payment-verifier.test.ts - backend/__tests__/payment-edge-cases.test.ts - backend/__tests__/payment-integration.test.ts - backend/__tests__/request-network-webhook.test.ts - backend/__tests__/sweep-service.test.ts - backend/__tests__/transaction-safety-provider.test.ts - backend/src/services/payment/decentralizedPaymentService.ts - backend/usdt-reset-test-report.md - scanner/balance_test.go - scanner/config.go - nick-doc/01 - Architecture/Request Network Integration Constraints.md - nick-doc/08 - Operations/Handoff - RN Multichain Probe - 2026-05-28.md - nick-doc/10 - Services/scanner.md - nick-doc/11 - Testing/Escrow Marketplace E2E Procedure.md For real keys: rotate → replace with process.env.VAR_NAME → add to .env.example For test fixtures: replace with obviously-fake value, add // test fixture comment - [ ] backend/__tests__/decentralized-payment-verifier.test.ts - [ ] backend/__tests__/payment-edge-cases.test.ts - [ ] backend/__tests__/payment-integration.test.ts - [ ] backend/__tests__/request-network-webhook.test.ts - [ ] backend/__tests__/sweep-service.test.ts - [ ] backend/__tests__/transaction-safety-provider.test.ts - [ ] backend/src/services/payment/decentralizedPaymentService.ts - [ ] backend/usdt-reset-test-report.md - [ ] scanner/balance_test.go - [ ] scanner/config.go - [ ] nick-doc/01 - Architecture/Request Network Integration Constraints.md - [ ] nick-doc/08 - Operations/Handoff - RN Multichain Probe - 2026-05-28.md - [ ] nick-doc/10 - Services/scanner.md - [ ] nick-doc/11 - Testing/Escrow Marketplace E2E Procedure.md ## 3. Documentation files - [ ] Replace any key values in nick-doc/ with [REDACTED] or truncated form (0xfcE8...CdbA) ## 4. Git history cleanup (ONLY after rotation confirmed) - [ ] All rotated credentials live and all code instances replaced - [ ] Notify ALL contributors — history rewrite requires re-cloning - [ ] Use git filter-repo or BFG Repo Cleaner - [ ] Force-push all affected branches (requires explicit user approval) ## 5. Prevention - [ ] Verify .gitignore blocks .env variants - [ ] Confirm deployment/.gitleaks.toml is active - [ ] Add gitleaks pre-commit hook: gitleaks protect --staged --config deployment/.gitleaks.toml - [ ] Add gitleaks scan to Woodpecker CI pipeline - [ ] Add to AGENTS.md: test keys must use process.env references, never inline values