Commit 6893ca6 accidentally pushed envs/ENV — a real env file with
DATABASE_URL (including the wabot DB password) and AUTH_SECRET.
The file's gone from HEAD now; the secrets are STILL in git history
at 6893ca6 and must be rotated:
1. Postgres role 'waBot' password — change on the wabot DB and
update DATABASE_URL on every deploy that uses it.
2. AUTH_SECRET — regenerate with scripts/gen_auth_secret.sh and
bump OPERATOR_TOKEN_VERSION at the same time so every existing
session cookie also invalidates.
.gitignore now ignores everything in envs/ except .env.example so
the same shape of leak (envs/<anything>) can't recur.
If you'd rather scrub the secret from history outright, the only
clean option is a force-push that rewrites 6893ca6:
git filter-repo --invert-paths --path envs/ENV
git push --force origin master
That destroys the existing remote SHA, which other clones will need
to reset to. Defaults to 'rotate, don't rewrite' unless explicitly
asked.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
yiekheng
58b249097a