# 🚨 SECURITY ALERT - IMMEDIATE ACTION REQUIRED ## Exposed API Keys in Git History The following API keys were accidentally committed to the repository and **MUST BE ROTATED IMMEDIATELY**: ### 1. Clerk Authentication Keys (Admin App) - **File**: `apps/admin/.env` (now removed from tracking) - **Exposed Keys**: - `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY`: `pk_test_bmVlZGVkLWVsZXBoYW50LTY0LmNsZXJrLmFjY291bnRzLmRldiQ` - `CLERK_SECRET_KEY`: `sk_test_qnWnZSem1ZkodRip9NZDXszDnCP91HwlNwtAUAcHZ1` ⚠️ **CRITICAL** - `CLERK_WEBHOOK_SECRET`: `whsec_TmM402k0pO/Au9u0vcJ1wLOoxvmeNOw+` ⚠️ **CRITICAL** ### 2. Clerk Authentication Key (Mobile App) - **File**: `apps/mobile/.env` (now removed from tracking) - **Exposed Key**: - `EXPO_PUBLIC_CLERK_PUBLISHABLE_KEY`: `pk_test_bmVlZGVkLWVsZXBoYW50LTY0LmNsZXJrLmFjY291bnRzLmRldiQ` ### 3. DeepSeek API Key (Admin App) - **File**: `apps/admin/.env` - **Exposed Key**: - `DEEPSEEK_API_KEY`: `sk-6c2e965d97a349f08ae1c3386dabdf85` ⚠️ **CRITICAL** ## Required Actions ### Step 1: Rotate All Keys Immediately #### Clerk Keys 1. Go to https://dashboard.clerk.com 2. Navigate to your project settings 3. **Rotate the secret key** (this will invalidate the old one) 4. **Regenerate webhook secret** in the Webhooks section 5. Update your local `.env` files with new keys (DO NOT commit them) 6. Update production environment variables #### DeepSeek API Key 1. Go to https://platform.deepseek.com 2. Navigate to API Keys section 3. **Delete the exposed key**: `sk-6c2e965d97a349f08ae1c3386dabdf85` 4. **Generate a new API key** 5. Update your local `.env` file (DO NOT commit it) 6. Update production environment variables ### Step 2: Remove Secrets from Git History ⚠️ **WARNING**: This will rewrite git history. Coordinate with your team before proceeding. ```bash # Option 1: Using BFG Repo-Cleaner (recommended) # Install BFG: https://rtyley.github.io/bfg-repo-cleaner/ bfg --replace-text <(echo 'sk_test_qnWnZSem1ZkodRip9NZDXszDnCP91HwlNwtAUAcHZ1==>***REMOVED***') bfg --replace-text <(echo 'whsec_TmM402k0pO/Au9u0vcJ1wLOoxvmeNOw+==>***REMOVED***') bfg --replace-text <(echo 'sk-6c2e965d97a349f08ae1c3386dabdf85==>***REMOVED***') git reflog expire --expire=now --all git gc --prune=now --aggressive # Option 2: Using git filter-branch (if BFG not available) git filter-branch --force --index-filter \ "git rm --cached --ignore-unmatch apps/admin/.env apps/mobile/.env" \ --prune-empty --tag-name-filter cat -- --all ``` ### Step 3: Force Push (Coordinate with Team) ```bash git push origin --force --all git push origin --force --tags ``` ### Step 4: Verify .gitignore Ensure the following files are in `.gitignore`: - ✅ `.env` (all variants) - ✅ `*.db` (database files) - ✅ `*.log` (log files) - ✅ `backups/` (backup directories) ### Step 5: Set Up Environment Variables Properly #### For Local Development 1. Copy `.env.example` to `.env`: ```bash cd apps/admin && cp .env.example .env cd apps/mobile && cp .env.example .env ``` 2. Fill in the **new** API keys (never commit these files) #### For Production/Staging Use your hosting platform's environment variable management: - **Vercel**: Settings → Environment Variables - **Netlify**: Site settings → Build & deploy → Environment - **Expo**: Use `eas secret:create` for mobile app secrets ## Prevention Measures Implemented 1. ✅ Updated `.gitignore` to exclude all `.env` files 2. ✅ Created `.env.example` files with placeholder values 3. ✅ Added database files and logs to `.gitignore` 4. ⏳ TODO: Add pre-commit hook to prevent secret commits 5. ⏳ TODO: Set up secret scanning in CI/CD ## Additional Security Recommendations 1. **Enable Clerk's IP allowlisting** to restrict API access 2. **Monitor Clerk dashboard** for unusual activity 3. **Review DeepSeek API usage** for unauthorized requests 4. **Set up rate limiting** on all authentication endpoints (in progress) 5. **Enable 2FA** on all service accounts (Clerk, DeepSeek, hosting platforms) ## Questions? If you need help with any of these steps, please reach out to the security team immediately. --- **Created**: $(date) **Status**: URGENT - Keys rotation in progress **Last Updated**: $(date)