cal/paper-dynasty-card-creation
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Rotate secrets exposed in git history #50

New Issue
Closed
opened 2026-03-23 04:57:23 +00:00 by cal · 1 comment
cal commented 2026-03-23 04:57:23 +00:00
Owner
Copy Link

Summary

PR #29 removed hardcoded secrets from the codebase, but they remain in git history and should be rotated.

Secrets to rotate

  1. PD API bearer token (Tp3aO3jhYve5NJF1IqOmJTmk) — was hardcoded in db_calls.py. Regenerate in Paper Dynasty API admin.

  2. Supabase service-role JWT — was hardcoded in scripts/supabase_doodling.py (file now deleted). JWT expiry is 2061, so it remains valid until rotated. Rotate in Supabase dashboard.

After rotation

  • Update the .env file on any machine running the card pipeline with the new PD API token
  • Verify pd-cards CLI still authenticates correctly
  • The Supabase JWT may not be actively used (the script it was in was deleted), but rotate it anyway as a hygiene measure

Priority

High — exposed credentials should be rotated promptly even though the repos are private.

## Summary PR #29 removed hardcoded secrets from the codebase, but they remain in git history and should be rotated. ## Secrets to rotate 1. **PD API bearer token** (`Tp3aO3jhYve5NJF1IqOmJTmk`) — was hardcoded in `db_calls.py`. Regenerate in Paper Dynasty API admin. 2. **Supabase service-role JWT** — was hardcoded in `scripts/supabase_doodling.py` (file now deleted). JWT expiry is 2061, so it remains valid until rotated. Rotate in Supabase dashboard. ## After rotation - Update the `.env` file on any machine running the card pipeline with the new PD API token - Verify `pd-cards` CLI still authenticates correctly - The Supabase JWT may not be actively used (the script it was in was deleted), but rotate it anyway as a hygiene measure ## Priority High — exposed credentials should be rotated promptly even though the repos are private.
cal closed this issue 2026-04-01 18:02:02 +00:00
cal commented 2026-04-01 18:03:28 +00:00
Author
Owner
Copy Link

Resolved via PR #52

  • Real API token (Tp3aO3jhYve5NJF1IqOmJTmk) scrubbed from docs/PD_CARDS_CLI_REFERENCE.md — replaced with your-api-token-here placeholder
  • Full audit of tracked card-creation files found no Supabase JWT or Ladies5-Monogamy-Charter references
  • .env is gitignored; no additional example file gap in this repo

See paper-dynasty-database#9 for full rotation details (API_TOKEN rotated on prod + dev, POSTGRES_PASSWORD verified).

## Resolved via PR #52 - Real API token (`Tp3aO3jhYve5NJF1IqOmJTmk`) scrubbed from `docs/PD_CARDS_CLI_REFERENCE.md` — replaced with `your-api-token-here` placeholder - Full audit of tracked card-creation files found no Supabase JWT or `Ladies5-Monogamy-Charter` references - `.env` is gitignored; no additional example file gap in this repo See `paper-dynasty-database#9` for full rotation details (API_TOKEN rotated on prod + dev, POSTGRES_PASSWORD verified).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
ai-merged

PR merged by AI ops agent

  
ai-pr-opened

   
ai-reviewed

   
ai-reviewing

   
ai-working
No Label
ai-merged
ai-pr-opened
ai-reviewed
ai-reviewing
ai-working
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/paper-dynasty-card-creation#50
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?