Operator Safety

Secret Rotation Readiness

This checklist prepares operators to rotate secrets safely after any repository exposure. It does not include secret values and should never be filled in with real credentials.

Exposure Rule

Treat any previously committed real environment value as exposed, even when the file has been removed from the current tree. Do not rewrite Git history as part of routine deployment verification, and do not paste old values into issues, docs, commits, chat, logs, screenshots, or support forms.

Rotation Categories

Rotation Steps

Do Not Share

Do not commit real .env files. Do not paste secrets into issues, docs, commits, chat, logs, screenshots, support forms, or browser-visible pages. Public examples must use placeholders only.

Forum Tip Route Note

Direct /forum/tip/post and /forum/tip/reply are not usable public tip routes on the public origin, but currently return 405 HTML rather than JSON 410. The API routes return 410 with the retired-tipping code. This behavior is acceptable for now and should remain documented unless future backend routing cleanly normalizes it.