[SEC-001] CRITICAL: Exposed Secrets in Version Control

[AndrewHakmi]

Problem

CRITICAL SECURITY BREACH: OpenAI API keys, database passwords, JWT secrets, and other sensitive credentials are committed and exposed in version control.

Files:

• .env.dev - Contains OpenAI API key, Neo4j password, Postgres password
• .env.prod - Contains production credentials (SAME as dev!)

Exposed credentials:

• OpenAI API key: sk-proj-poqHlE98Uf0yR9PJ... (partially redacted)
• NEO4J_PASSWORD: 12ee8ba019
• JWT_SECRET_KEY: SFuw2HJdBTeccHlpx4t5...
• BOOTSTRAP_ADMIN_PASSWORD: gfhjkmvfhjkm
• Multiple database passwords

Impact

• Unauthorized access to production data
• OpenAI API abuse (financial loss)
• Complete system compromise
• GDPR/compliance violations

Immediate Actions Required

1. Revoke All Credentials (URGENT - Do Now)

# Immediately revoke OpenAI API key
# Go to: https://platform.openai.com/api-keys

# Generate new secrets
openssl rand -base64 32  # For JWT_SECRET_KEY
openssl rand -base64 24  # For passwords
openssl rand -hex 32     # For API keys

2. Remove from Git History

# WARNING: This rewrites history
git filter-branch --tree-filter 'rm -f .env.dev .env.prod .env.stage' -- --all
git push origin --force --all
git push origin --force --tags

3. Update .gitignore

Add to .gitignore:

# Secrets
.env
.env.*
.env.*.local
secrets/
private/
*.key
*.pem
credentials.json

4. Implement Secret Management

Choose one:

• Option A: Docker secrets
• Option B: HashiCorp Vault
• Option C: AWS Secrets Manager

5. Rotate All Credentials

• OpenAI API key
• JWT_SECRET_KEY
• NEO4J_PASSWORD
• POSTGRES_PASSWORD
• BOOTSTRAP_ADMIN_PASSWORD
• ADMIN_API_KEY
• All other API keys/secrets

Verification

# Check git history is clean
git log --all --full-history -- ".env*"
# Should return empty

# Verify .gitignore
git check-ignore .env.prod
# Should output: .env.prod

Estimated Time

2-4 hours (URGENT)

References

• COMPREHENSIVE_TODO.md: SEC-001
• Lines: .env.dev, .env.prod, .env.stage