Commit 6893ca6 accidentally pushed envs/ENV — a real env file with
DATABASE_URL (including the wabot DB password) and AUTH_SECRET.
The file's gone from HEAD now; the secrets are STILL in git history
at 6893ca6 and must be rotated:
1. Postgres role 'waBot' password — change on the wabot DB and
update DATABASE_URL on every deploy that uses it.
2. AUTH_SECRET — regenerate with scripts/gen_auth_secret.sh and
bump OPERATOR_TOKEN_VERSION at the same time so every existing
session cookie also invalidates.
.gitignore now ignores everything in envs/ except .env.example so
the same shape of leak (envs/<anything>) can't recur.
If you'd rather scrub the secret from history outright, the only
clean option is a force-push that rewrites 6893ca6:
git filter-repo --invert-paths --path envs/ENV
git push --force origin master
That destroys the existing remote SHA, which other clones will need
to reset to. Defaults to 'rotate, don't rewrite' unless explicitly
asked.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`scripts/publish.sh` failed during the web image build at
"Collecting page data" with:
ZodError: DATABASE_URL: Required
next build walks every route module including api/events/route.ts,
which imports env from @/env. The previous shape ran
envSchema.parse(process.env) at module top level, so the parse fired
inside the build container where DATABASE_URL deliberately isn't set.
Wrap the parse in a Proxy that resolves on first property access.
The build's page-data pass doesn't read any env property, so the
parse never runs at build time. Runtime callers (db.ts, media.ts,
api/events/route.ts) hit the proxy on first use and get the same
strict Zod validation as before.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Drop SEED_OPERATOR_TELEGRAM_ID (legacy from the Telegram era).
- Add SEED_OPERATOR_USERNAME + a comment pointing to
scripts/set-password.sh as the bootstrap path.
- Add OPERATOR_TOKEN_VERSION as the documented kill switch for the
AES-GCM session cookie.
- Document AUTH_SECRET more explicitly: refuse to leave blank, and
point at scripts/gen_auth_secret.sh as the generator.
- Add the bot fan-out tuning trio that's been in env.ts but not in
the example: BOT_FIRE_CONCURRENCY / BOT_GROUP_CONCURRENCY /
BOT_MAX_SEND_PER_MINUTE with the same comments as the schema.
- Add a Docker Registry section for scripts/publish.sh:
DOCKER_IMAGE_TAG and CM_IMAGE_PLATFORMS, mirroring the
cm_bot_v2 .env.example shape.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Local dev WEB_PORT now 9000 to match the planned dev/staging domain
test.04080616.xyz. Production deployment uses port 8100 mapped to
rexwa.04080616.xyz (configured in plan 4).
- apps/bot/tsconfig.json: exclude src/**/*.test.ts from the production
build (vitest types only present at dev time, mirrors the same fix we
made earlier for packages/shared).
