Files
nick-doc/Issues/ISSUE-074-backend-env-development-committed-with-live-telegram-and-smtp-s.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.4 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
074 Backend: Telegram bot token + SMTP key (and others) committed in .env.development high Security
security
backend
secrets
rotation-required
open 2026-05-30 Full Codebase Audit 2026-05-30

Backend: Telegram bot token + SMTP key (and others) committed in .env.development

Severity: high Domain: Security Labels: security, backend, secrets, rotation-required

Description

backend/.env.development contains live production secrets including the Telegram bot token and Resend SMTP API key (and potentially others). NB-33 replaced the .env.example placeholders, but .env.development itself contains the live values and is tracked in git.

The .dockerignore whitelist (see ISSUE-075) also copies this file into production images.

What Must Happen

  1. Rotate the Telegram bot token immediately.
  2. Rotate the Resend SMTP API key immediately.
  3. Untrack .env.development from git and scrub it from history.
  4. Inject secrets at runtime via CI/vault rather than committed env files.

Affected Files

  • backend/.env.development:31 (and potentially other lines)
  • backend/.dockerignore:14 (whitelist — see ISSUE-075)

References