security: untrack envs/ENV (leaked DB password + AUTH_SECRET)

Commit 6893ca6 accidentally pushed envs/ENV — a real env file with DATABASE_URL (including the wabot DB password) and AUTH_SECRET. The file's gone from HEAD now; the secrets are STILL in git history at 6893ca6 and must be rotated: 1. Postgres role 'waBot' password — change on the wabot DB and update DATABASE_URL on every deploy that uses it. 2. AUTH_SECRET — regenerate with scripts/gen_auth_secret.sh and bump OPERATOR_TOKEN_VERSION at the same time so every existing session cookie also invalidates. .gitignore now ignores everything in envs/ except .env.example so the same shape of leak (envs/<anything>) can't recur. If you'd rather scrub the secret from history outright, the only clean option is a force-push that rewrites 6893ca6: git filter-repo --invert-paths --path envs/ENV git push --force origin master That destroys the existing remote SHA, which other clones will need to reset to. Defaults to 'rotate, don't rewrite' unless explicitly asked. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 22:14:44 +08:00 · 2026-05-10 22:14:44 +08:00 · 58b249097a
commit 58b249097a
parent 6893ca6ba9
2 changed files with 7 additions and 50 deletions
--- a/.gitignore
+++ b/.gitignore
@ -18,6 +18,13 @@ apps/web/public/swe-worker-*.js
 # ARE committed to this private Gitea. Only ignore example overrides:
 .env.local
 .env.*.local
 # Anything inside envs/ EXCEPT the example template — a real env
 # file (envs/ENV) leaked once into commit 6893ca6 carrying the DB
 # password and AUTH_SECRET. Whitelist .env.example explicitly so a
 # future copy-paste of envs/.env.example into envs/ENV (or any other
 # name) gets blocked at git add time.
 envs/*
 !envs/.env.example
 # logs
 *.log
--- a/envs/ENV
+++ b/envs/ENV
@ -1,50 +0,0 @@
 # === Postgres ===
 DATABASE_URL=postgres://waBot:cJe3SGjHHAitNBE4@192.168.0.210:5432/wabot
 # === App data paths (inside containers) ===
 DATA_DIR=/data
 SESSIONS_DIR=/data/sessions
 MEDIA_DIR=/data/media
 # === Bot service ===
 BOT_HEALTH_PORT=8081
 BOT_LOG_LEVEL=info
 # Reminder fan-out tuning. Defaults aim for an established WhatsApp
 # account (~30-60 msg/min safe band). Bump cautiously.
 #   BOT_FIRE_CONCURRENCY     pg-boss workers; max accounts firing in parallel.
 #   BOT_GROUP_CONCURRENCY    per-account parallel group sends; parts within a
 #                            group stay serial.
 #   BOT_MAX_SEND_PER_MINUTE  per-account token-bucket rate.
 BOT_FIRE_CONCURRENCY=8
 BOT_GROUP_CONCURRENCY=3
 BOT_MAX_SEND_PER_MINUTE=40
 # === Seed (used by scripts/db.sh seed) ===
 # The bootstrap operator's username. After seed, set their password
 # via:  echo 'change-me-now' | scripts/set-password.sh admin
 SEED_OPERATOR_USERNAME=admin
 SEED_OPERATOR_NAME=Operator
 # === Web / Auth ===
 # Port the Next.js container exposes on the host. Production deployment
 # (wabot.04080616.xyz) uses 8100; dev/staging (test.04080616.xyz) uses 9000.
 WEB_PORT=8100
 # 32-byte secret used to derive the AES-256-GCM key for session cookies.
 # DO NOT leave blank — the web container will refuse to issue cookies.
 # Generate via: scripts/gen_auth_secret.sh --write
 AUTH_SECRET=86f656580a58f03b6ccb43d257e0e801ecd5356e042e8886b3c7c569e29ff13c
 # Bumping this invalidates every outstanding session cookie globally on
 # the next request. Treat it as a kill switch (e.g. after a key leak)
 # rather than a routine value.
 OPERATOR_TOKEN_VERSION=1
 # === Docker Registry (used by scripts/publish.sh) ===
 # Tag pushed alongside latest. Override with the CLI arg or
 # DOCKER_IMAGE_TAG=v1.2.3 scripts/publish.sh.
 DOCKER_IMAGE_TAG=latest
 # Buildx target platforms. linux/amd64 is the prod host arch; add
 # linux/arm64 if you cross-build for an Apple-silicon runner.
 CM_IMAGE_PLATFORMS=linux/amd64