- Comprehensive Workspace Audit - 2026-06-10.md - C1-Secrets-Rotation-Checklist-2026-06-10.md - Mistral-Outsource-Package-2026-06-10.md - Workflow-Remediation-Plan-2026-06-10.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
77 lines
3.1 KiB
Markdown
77 lines
3.1 KiB
Markdown
---
|
|
title: C1 Secrets Rotation Checklist - 2026-06-10
|
|
tags: [audit, security, secrets, rotation, c1]
|
|
created: 2026-06-10
|
|
status: in-progress
|
|
---
|
|
|
|
# C1 Secrets Rotation Checklist - 2026-06-10
|
|
|
|
## 1. Tracked env files
|
|
|
|
deployment/.env and deployment/.env.dev are tracked in git.
|
|
|
|
- [ ] Rotate ALL credential values via provider dashboards first
|
|
- [ ] Create deployment/.env.example and deployment/.env.dev.example with placeholders
|
|
- [ ] Add deployment/.env and deployment/.env.dev to .gitignore
|
|
- [ ] Run: git rm --cached deployment/.env deployment/.env.dev
|
|
- [ ] Commit the removal
|
|
- [ ] History cleanup only after rotation confirmed
|
|
|
|
## 2. Test and source files with key-shaped material — triage each
|
|
|
|
For each, triage as real vs fake test fixture:
|
|
|
|
- backend/__tests__/decentralized-payment-verifier.test.ts
|
|
- backend/__tests__/payment-edge-cases.test.ts
|
|
- backend/__tests__/payment-integration.test.ts
|
|
- backend/__tests__/request-network-webhook.test.ts
|
|
- backend/__tests__/sweep-service.test.ts
|
|
- backend/__tests__/transaction-safety-provider.test.ts
|
|
- backend/src/services/payment/decentralizedPaymentService.ts
|
|
- backend/usdt-reset-test-report.md
|
|
- scanner/balance_test.go
|
|
- scanner/config.go
|
|
- nick-doc/01 - Architecture/Request Network Integration Constraints.md
|
|
- nick-doc/08 - Operations/Handoff - RN Multichain Probe - 2026-05-28.md
|
|
- nick-doc/10 - Services/scanner.md
|
|
- nick-doc/11 - Testing/Escrow Marketplace E2E Procedure.md
|
|
|
|
For real keys: rotate → replace with process.env.VAR_NAME → add to .env.example
|
|
|
|
For test fixtures: replace with obviously-fake value, add // test fixture comment
|
|
|
|
- [ ] backend/__tests__/decentralized-payment-verifier.test.ts
|
|
- [ ] backend/__tests__/payment-edge-cases.test.ts
|
|
- [ ] backend/__tests__/payment-integration.test.ts
|
|
- [ ] backend/__tests__/request-network-webhook.test.ts
|
|
- [ ] backend/__tests__/sweep-service.test.ts
|
|
- [ ] backend/__tests__/transaction-safety-provider.test.ts
|
|
- [ ] backend/src/services/payment/decentralizedPaymentService.ts
|
|
- [ ] backend/usdt-reset-test-report.md
|
|
- [ ] scanner/balance_test.go
|
|
- [ ] scanner/config.go
|
|
- [ ] nick-doc/01 - Architecture/Request Network Integration Constraints.md
|
|
- [ ] nick-doc/08 - Operations/Handoff - RN Multichain Probe - 2026-05-28.md
|
|
- [ ] nick-doc/10 - Services/scanner.md
|
|
- [ ] nick-doc/11 - Testing/Escrow Marketplace E2E Procedure.md
|
|
|
|
## 3. Documentation files
|
|
|
|
- [ ] Replace any key values in nick-doc/ with [REDACTED] or truncated form (0xfcE8...CdbA)
|
|
|
|
## 4. Git history cleanup (ONLY after rotation confirmed)
|
|
|
|
- [ ] All rotated credentials live and all code instances replaced
|
|
- [ ] Notify ALL contributors — history rewrite requires re-cloning
|
|
- [ ] Use git filter-repo or BFG Repo Cleaner
|
|
- [ ] Force-push all affected branches (requires explicit user approval)
|
|
|
|
## 5. Prevention
|
|
|
|
- [ ] Verify .gitignore blocks .env variants
|
|
- [ ] Confirm deployment/.gitleaks.toml is active
|
|
- [ ] Add gitleaks pre-commit hook: gitleaks protect --staged --config deployment/.gitleaks.toml
|
|
- [ ] Add gitleaks scan to Woodpecker CI pipeline
|
|
- [ ] Add to AGENTS.md: test keys must use process.env references, never inline values
|