security: remove committed secrets from tracked files#143
Draft
seb7152 wants to merge 2 commits into
Draft
Conversation
- opencode.json: untrack (already in .gitignore) and replace the Supabase
management PAT and Context7 API key with {env:...} references
- .claude/settings.json: replace hardcoded Context7 API key with
${CONTEXT7_API_KEY} env reference (matching the Supabase token above it)
- test-versions-api.js: read Supabase URL and service_role key from
environment variables instead of hardcoding the service_role JWT
The exposed credentials must be rotated/revoked in their respective
dashboards; scrubbing the working tree does not remove them from git history.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011g72ZQ5ry1KYqSR63MbKmy
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
First table of the staged RLS rollout. defense_analyses already has correct per-org SELECT/INSERT/UPDATE policies; this migration only activates them via ENABLE ROW LEVEL SECURITY (no FORCE, so service_role edge functions keep their bypass). Includes a non-destructive test plan (BEGIN/ROLLBACK, JWT-claims impersonation) covering legitimate access, cross-tenant isolation, and the service_role bypass. Not applied to production — to be validated via the test plan before enabling. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_011g72ZQ5ry1KYqSR63MbKmy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Contexte
Première étape d'un chantier d'optimisation (sécurité / performance / UX). Cette PR se limite au retrait des secrets committés en clair dans le dépôt. Les chantiers RLS et sécurisation des callbacks se feront séparément, table par table / endpoint par endpoint, avec revue préalable — aucune modification Supabase / prod dans cette PR.
Changements
opencode.json: fichier dé-tracké (git rm --cached— il était déjà listé dans.gitignoremais restait suivi). Les valeursSUPABASE_ACCESS_TOKEN(PAT de managementsbp_…) etCONTEXT7_API_KEYsont remplacées par des références{env:…}..claude/settings.json: la clé Context7 en dur est remplacée par${CONTEXT7_API_KEY}, cohérent avec le${SUPABASE_ACCESS_TOKEN}déjà utilisé juste au-dessus.test-versions-api.js: lecture de l'URL et de la cléservice_roledepuisprocess.env(SUPABASE_URL,SUPABASE_SERVICE_ROLE_KEY) au lieu du JWTservice_roleen dur ; garde du script si les variables sont absentes.Secrets concernés (à révoquer)
Le scrub du working tree ne supprime pas ces secrets de l'historique git — ils restent lisibles dans les commits antérieurs. Ils doivent être révoqués / rotationnés dans leurs dashboards respectifs :
service_role(accès complet à la base, bypass RLS)sbp_…)Purger l'historique (
git filter-repo+ force-push) est possible dans un second temps si souhaité, mais réécrit l'historique partagé ; la révocation reste la mitigation prioritaire.Vérification
sbp_,ctx7sk-, JWTeyJ…,service_role) sur l'arbre suivi → plus aucune occurrence des valeurs exposées.opencode.jsonconfirmé non suivi après commit.🤖 Generated with Claude Code
https://claude.ai/code/session_011g72ZQ5ry1KYqSR63MbKmy
Generated by Claude Code