- Comprehensive Workspace Audit - 2026-06-10.md - C1-Secrets-Rotation-Checklist-2026-06-10.md - Mistral-Outsource-Package-2026-06-10.md - Workflow-Remediation-Plan-2026-06-10.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3.1 KiB
3.1 KiB
title, tags, created, status
| title | tags | created | status | |||||
|---|---|---|---|---|---|---|---|---|
| C1 Secrets Rotation Checklist - 2026-06-10 |
|
2026-06-10 | in-progress |
C1 Secrets Rotation Checklist - 2026-06-10
1. Tracked env files
deployment/.env and deployment/.env.dev are tracked in git.
- Rotate ALL credential values via provider dashboards first
- Create deployment/.env.example and deployment/.env.dev.example with placeholders
- Add deployment/.env and deployment/.env.dev to .gitignore
- Run: git rm --cached deployment/.env deployment/.env.dev
- Commit the removal
- History cleanup only after rotation confirmed
2. Test and source files with key-shaped material — triage each
For each, triage as real vs fake test fixture:
- backend/tests/decentralized-payment-verifier.test.ts
- backend/tests/payment-edge-cases.test.ts
- backend/tests/payment-integration.test.ts
- backend/tests/request-network-webhook.test.ts
- backend/tests/sweep-service.test.ts
- backend/tests/transaction-safety-provider.test.ts
- backend/src/services/payment/decentralizedPaymentService.ts
- backend/usdt-reset-test-report.md
- scanner/balance_test.go
- scanner/config.go
- nick-doc/01 - Architecture/Request Network Integration Constraints.md
- nick-doc/08 - Operations/Handoff - RN Multichain Probe - 2026-05-28.md
- nick-doc/10 - Services/scanner.md
- nick-doc/11 - Testing/Escrow Marketplace E2E Procedure.md
For real keys: rotate → replace with process.env.VAR_NAME → add to .env.example
For test fixtures: replace with obviously-fake value, add // test fixture comment
- backend/tests/decentralized-payment-verifier.test.ts
- backend/tests/payment-edge-cases.test.ts
- backend/tests/payment-integration.test.ts
- backend/tests/request-network-webhook.test.ts
- backend/tests/sweep-service.test.ts
- backend/tests/transaction-safety-provider.test.ts
- backend/src/services/payment/decentralizedPaymentService.ts
- backend/usdt-reset-test-report.md
- scanner/balance_test.go
- scanner/config.go
- nick-doc/01 - Architecture/Request Network Integration Constraints.md
- nick-doc/08 - Operations/Handoff - RN Multichain Probe - 2026-05-28.md
- nick-doc/10 - Services/scanner.md
- nick-doc/11 - Testing/Escrow Marketplace E2E Procedure.md
3. Documentation files
- Replace any key values in nick-doc/ with [REDACTED] or truncated form (0xfcE8...CdbA)
4. Git history cleanup (ONLY after rotation confirmed)
- All rotated credentials live and all code instances replaced
- Notify ALL contributors — history rewrite requires re-cloning
- Use git filter-repo or BFG Repo Cleaner
- Force-push all affected branches (requires explicit user approval)
5. Prevention
- Verify .gitignore blocks .env variants
- Confirm deployment/.gitleaks.toml is active
- Add gitleaks pre-commit hook: gitleaks protect --staged --config deployment/.gitleaks.toml
- Add gitleaks scan to Woodpecker CI pipeline
- Add to AGENTS.md: test keys must use process.env references, never inline values