Rotate credentials committed in .env #9

New Issue

cal · 2026-02-20T06:51:55Z

cal commented

2026-02-20 06:51:55 +00:00

`.env` contains real-looking values: `API_TOKEN=Tp3aO3jhYve5NJF1IqOmJTmk`, `POSTGRES_PASSWORD=your_production_password`. File is `.gitignore`d but exists on disk. Token should be rotated if it ever touched production.

Priority: high

\`.env\` contains real-looking values: \`API_TOKEN=Tp3aO3jhYve5NJF1IqOmJTmk\`, \`POSTGRES_PASSWORD=your_production_password\`. File is \`.gitignore\`d but exists on disk. Token should be rotated if it ever touched production. **Priority**: high

cal added the

security

label 2026-02-20 06:51:55 +00:00

cal commented

2026-04-01 18:03:26 +00:00

Credential Rotation — Closed

All remediation tasks for this issue are complete as of 2026-04-01.

Rotation Actions

API_TOKEN — rotated on prod (ssh akamai) and dev (ssh pd-database) on 2026-04-01
POSTGRES_PASSWORD — verified on prod; confirmed it is not the placeholder value

PRs Merged

card-creation#52 — Real token (Tp3aO3jhYve5NJF1IqOmJTmk) scrubbed from docs/PD_CARDS_CLI_REFERENCE.md; replaced with your-api-token-here placeholder
discord#135 — .env.example added to the Discord bot repo documenting all required env vars with placeholder values
discord#136 — docker-compose.example.yml added to Discord bot repo; real docker-compose.yml confirmed gitignored and untracked

Status of Other Repos

paper-dynasty-database — .env.example already existed; no new action needed
paper-dynasty-card-creation — .env confirmed gitignored; no additional example file gap found

All tracked files have been audited. No remaining real credentials in any tracked file.

## Credential Rotation — Closed All remediation tasks for this issue are complete as of 2026-04-01. ### Rotation Actions - **API_TOKEN** — rotated on prod (`ssh akamai`) and dev (`ssh pd-database`) on 2026-04-01 - **POSTGRES_PASSWORD** — verified on prod; confirmed it is not the placeholder value ### PRs Merged - `card-creation#52` — Real token (`Tp3aO3jhYve5NJF1IqOmJTmk`) scrubbed from `docs/PD_CARDS_CLI_REFERENCE.md`; replaced with `your-api-token-here` placeholder - `discord#135` — `.env.example` added to the Discord bot repo documenting all required env vars with placeholder values - `discord#136` — `docker-compose.example.yml` added to Discord bot repo; real `docker-compose.yml` confirmed gitignored and untracked ### Status of Other Repos - `paper-dynasty-database` — `.env.example` already existed; no new action needed - `paper-dynasty-card-creation` — `.env` confirmed gitignored; no additional example file gap found All tracked files have been audited. No remaining real credentials in any tracked file.

cal closed this issue

2026-04-01 18:03:39 +00:00

cal commented

2026-04-01 21:11:21 +00:00

Follow-up: Dev PostgreSQL password for sba_admin was also rotated on 2026-04-01. The old placeholder value your_production_password has been replaced with a secure generated password. Dev API verified working after restart.

Follow-up: Dev PostgreSQL password for `sba_admin` was also rotated on 2026-04-01. The old placeholder value `your_production_password` has been replaced with a secure generated password. Dev API verified working after restart.

Sign in to join this conversation.

No Milestone

No project

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/paper-dynasty-database#9