Files
nick-doc/09 - Audits/C1-Secrets-Rotation-Checklist-2026-06-10.md
Siavash Sameni c5fa6516e8 docs: add 2026-06-10 audit and remediation planning documents
- Comprehensive Workspace Audit - 2026-06-10.md
- C1-Secrets-Rotation-Checklist-2026-06-10.md
- Mistral-Outsource-Package-2026-06-10.md
- Workflow-Remediation-Plan-2026-06-10.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-10 10:09:29 +04:00

77 lines
3.1 KiB
Markdown

---
title: C1 Secrets Rotation Checklist - 2026-06-10
tags: [audit, security, secrets, rotation, c1]
created: 2026-06-10
status: in-progress
---
# C1 Secrets Rotation Checklist - 2026-06-10
## 1. Tracked env files
deployment/.env and deployment/.env.dev are tracked in git.
- [ ] Rotate ALL credential values via provider dashboards first
- [ ] Create deployment/.env.example and deployment/.env.dev.example with placeholders
- [ ] Add deployment/.env and deployment/.env.dev to .gitignore
- [ ] Run: git rm --cached deployment/.env deployment/.env.dev
- [ ] Commit the removal
- [ ] History cleanup only after rotation confirmed
## 2. Test and source files with key-shaped material — triage each
For each, triage as real vs fake test fixture:
- backend/__tests__/decentralized-payment-verifier.test.ts
- backend/__tests__/payment-edge-cases.test.ts
- backend/__tests__/payment-integration.test.ts
- backend/__tests__/request-network-webhook.test.ts
- backend/__tests__/sweep-service.test.ts
- backend/__tests__/transaction-safety-provider.test.ts
- backend/src/services/payment/decentralizedPaymentService.ts
- backend/usdt-reset-test-report.md
- scanner/balance_test.go
- scanner/config.go
- nick-doc/01 - Architecture/Request Network Integration Constraints.md
- nick-doc/08 - Operations/Handoff - RN Multichain Probe - 2026-05-28.md
- nick-doc/10 - Services/scanner.md
- nick-doc/11 - Testing/Escrow Marketplace E2E Procedure.md
For real keys: rotate → replace with process.env.VAR_NAME → add to .env.example
For test fixtures: replace with obviously-fake value, add // test fixture comment
- [ ] backend/__tests__/decentralized-payment-verifier.test.ts
- [ ] backend/__tests__/payment-edge-cases.test.ts
- [ ] backend/__tests__/payment-integration.test.ts
- [ ] backend/__tests__/request-network-webhook.test.ts
- [ ] backend/__tests__/sweep-service.test.ts
- [ ] backend/__tests__/transaction-safety-provider.test.ts
- [ ] backend/src/services/payment/decentralizedPaymentService.ts
- [ ] backend/usdt-reset-test-report.md
- [ ] scanner/balance_test.go
- [ ] scanner/config.go
- [ ] nick-doc/01 - Architecture/Request Network Integration Constraints.md
- [ ] nick-doc/08 - Operations/Handoff - RN Multichain Probe - 2026-05-28.md
- [ ] nick-doc/10 - Services/scanner.md
- [ ] nick-doc/11 - Testing/Escrow Marketplace E2E Procedure.md
## 3. Documentation files
- [ ] Replace any key values in nick-doc/ with [REDACTED] or truncated form (0xfcE8...CdbA)
## 4. Git history cleanup (ONLY after rotation confirmed)
- [ ] All rotated credentials live and all code instances replaced
- [ ] Notify ALL contributors — history rewrite requires re-cloning
- [ ] Use git filter-repo or BFG Repo Cleaner
- [ ] Force-push all affected branches (requires explicit user approval)
## 5. Prevention
- [ ] Verify .gitignore blocks .env variants
- [ ] Confirm deployment/.gitleaks.toml is active
- [ ] Add gitleaks pre-commit hook: gitleaks protect --staged --config deployment/.gitleaks.toml
- [ ] Add gitleaks scan to Woodpecker CI pipeline
- [ ] Add to AGENTS.md: test keys must use process.env references, never inline values