Files
nick-doc/09 - Audits/C1-Secrets-Rotation-Checklist-2026-06-10.md
Siavash Sameni c5fa6516e8 docs: add 2026-06-10 audit and remediation planning documents
- Comprehensive Workspace Audit - 2026-06-10.md
- C1-Secrets-Rotation-Checklist-2026-06-10.md
- Mistral-Outsource-Package-2026-06-10.md
- Workflow-Remediation-Plan-2026-06-10.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-10 10:09:29 +04:00

3.1 KiB

title, tags, created, status
title tags created status
C1 Secrets Rotation Checklist - 2026-06-10
audit
security
secrets
rotation
c1
2026-06-10 in-progress

C1 Secrets Rotation Checklist - 2026-06-10

1. Tracked env files

deployment/.env and deployment/.env.dev are tracked in git.

  • Rotate ALL credential values via provider dashboards first
  • Create deployment/.env.example and deployment/.env.dev.example with placeholders
  • Add deployment/.env and deployment/.env.dev to .gitignore
  • Run: git rm --cached deployment/.env deployment/.env.dev
  • Commit the removal
  • History cleanup only after rotation confirmed

2. Test and source files with key-shaped material — triage each

For each, triage as real vs fake test fixture:

  • backend/tests/decentralized-payment-verifier.test.ts
  • backend/tests/payment-edge-cases.test.ts
  • backend/tests/payment-integration.test.ts
  • backend/tests/request-network-webhook.test.ts
  • backend/tests/sweep-service.test.ts
  • backend/tests/transaction-safety-provider.test.ts
  • backend/src/services/payment/decentralizedPaymentService.ts
  • backend/usdt-reset-test-report.md
  • scanner/balance_test.go
  • scanner/config.go
  • nick-doc/01 - Architecture/Request Network Integration Constraints.md
  • nick-doc/08 - Operations/Handoff - RN Multichain Probe - 2026-05-28.md
  • nick-doc/10 - Services/scanner.md
  • nick-doc/11 - Testing/Escrow Marketplace E2E Procedure.md

For real keys: rotate → replace with process.env.VAR_NAME → add to .env.example

For test fixtures: replace with obviously-fake value, add // test fixture comment

  • backend/tests/decentralized-payment-verifier.test.ts
  • backend/tests/payment-edge-cases.test.ts
  • backend/tests/payment-integration.test.ts
  • backend/tests/request-network-webhook.test.ts
  • backend/tests/sweep-service.test.ts
  • backend/tests/transaction-safety-provider.test.ts
  • backend/src/services/payment/decentralizedPaymentService.ts
  • backend/usdt-reset-test-report.md
  • scanner/balance_test.go
  • scanner/config.go
  • nick-doc/01 - Architecture/Request Network Integration Constraints.md
  • nick-doc/08 - Operations/Handoff - RN Multichain Probe - 2026-05-28.md
  • nick-doc/10 - Services/scanner.md
  • nick-doc/11 - Testing/Escrow Marketplace E2E Procedure.md

3. Documentation files

  • Replace any key values in nick-doc/ with [REDACTED] or truncated form (0xfcE8...CdbA)

4. Git history cleanup (ONLY after rotation confirmed)

  • All rotated credentials live and all code instances replaced
  • Notify ALL contributors — history rewrite requires re-cloning
  • Use git filter-repo or BFG Repo Cleaner
  • Force-push all affected branches (requires explicit user approval)

5. Prevention

  • Verify .gitignore blocks .env variants
  • Confirm deployment/.gitleaks.toml is active
  • Add gitleaks pre-commit hook: gitleaks protect --staged --config deployment/.gitleaks.toml
  • Add gitleaks scan to Woodpecker CI pipeline
  • Add to AGENTS.md: test keys must use process.env references, never inline values