fitaiProto/SECURITY.md

🚨 SECURITY ALERT - IMMEDIATE ACTION REQUIRED

Exposed API Keys in Git History

The following API keys were accidentally committed to the repository and MUST BE ROTATED IMMEDIATELY:

1. Clerk Authentication Keys (Admin App)

• File: apps/admin/.env (now removed from tracking)
• Exposed Keys:
  • NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: pk_test_bmVlZGVkLWVsZXBoYW50LTY0LmNsZXJrLmFjY291bnRzLmRldiQ
  • CLERK_SECRET_KEY: sk_test_qnWnZSem1ZkodRip9NZDXszDnCP91HwlNwtAUAcHZ1 ⚠️ CRITICAL
  • CLERK_WEBHOOK_SECRET: whsec_TmM402k0pO/Au9u0vcJ1wLOoxvmeNOw+ ⚠️ CRITICAL

2. Clerk Authentication Key (Mobile App)

• File: apps/mobile/.env (now removed from tracking)
• Exposed Key:
  • EXPO_PUBLIC_CLERK_PUBLISHABLE_KEY: pk_test_bmVlZGVkLWVsZXBoYW50LTY0LmNsZXJrLmFjY291bnRzLmRldiQ

3. DeepSeek API Key (Admin App)

• File: apps/admin/.env
• Exposed Key:
  • DEEPSEEK_API_KEY: sk-6c2e965d97a349f08ae1c3386dabdf85 ⚠️ CRITICAL

Required Actions

Step 1: Rotate All Keys Immediately

Clerk Keys

1. Go to https://dashboard.clerk.com
2. Navigate to your project settings
3. Rotate the secret key (this will invalidate the old one)
4. Regenerate webhook secret in the Webhooks section
5. Update your local .env files with new keys (DO NOT commit them)
6. Update production environment variables

DeepSeek API Key

1. Go to https://platform.deepseek.com
2. Navigate to API Keys section
3. Delete the exposed key: sk-6c2e965d97a349f08ae1c3386dabdf85
4. Generate a new API key
5. Update your local .env file (DO NOT commit it)
6. Update production environment variables

Step 2: Remove Secrets from Git History

⚠️ WARNING: This will rewrite git history. Coordinate with your team before proceeding.

# Option 1: Using BFG Repo-Cleaner (recommended)
# Install BFG: https://rtyley.github.io/bfg-repo-cleaner/
bfg --replace-text <(echo 'sk_test_qnWnZSem1ZkodRip9NZDXszDnCP91HwlNwtAUAcHZ1==>***REMOVED***')
bfg --replace-text <(echo 'whsec_TmM402k0pO/Au9u0vcJ1wLOoxvmeNOw+==>***REMOVED***')
bfg --replace-text <(echo 'sk-6c2e965d97a349f08ae1c3386dabdf85==>***REMOVED***')
git reflog expire --expire=now --all
git gc --prune=now --aggressive

# Option 2: Using git filter-branch (if BFG not available)
git filter-branch --force --index-filter \
  "git rm --cached --ignore-unmatch apps/admin/.env apps/mobile/.env" \
  --prune-empty --tag-name-filter cat -- --all

Step 3: Force Push (Coordinate with Team)

git push origin --force --all
git push origin --force --tags

Step 4: Verify .gitignore

Ensure the following files are in .gitignore:

• ✅ .env (all variants)
• ✅ *.db (database files)
• ✅ *.log (log files)
• ✅ backups/ (backup directories)

Step 5: Set Up Environment Variables Properly

For Local Development

1. Copy .env.example to .env:

   cd apps/admin && cp .env.example .env
   cd apps/mobile && cp .env.example .env
   

2. Fill in the new API keys (never commit these files)

For Production/Staging

Use your hosting platform's environment variable management:

• Vercel: Settings → Environment Variables
• Netlify: Site settings → Build & deploy → Environment
• Expo: Use eas secret:create for mobile app secrets

Prevention Measures Implemented

1. ✅ Updated .gitignore to exclude all .env files
2. ✅ Created .env.example files with placeholder values
3. ✅ Added database files and logs to .gitignore
4. ⏳ TODO: Add pre-commit hook to prevent secret commits
5. ⏳ TODO: Set up secret scanning in CI/CD

Additional Security Recommendations

1. Enable Clerk's IP allowlisting to restrict API access
2. Monitor Clerk dashboard for unusual activity
3. Review DeepSeek API usage for unauthorized requests
4. Set up rate limiting on all authentication endpoints (in progress)
5. Enable 2FA on all service accounts (Clerk, DeepSeek, hosting platforms)

Questions?

If you need help with any of these steps, please reach out to the security team immediately.

---

Created: $(date) Status: URGENT - Keys rotation in progress Last Updated: $(date)