Secret Rotation Readiness
This checklist prepares operators to rotate secrets safely after any repository exposure. It does not include secret values and should never be filled in with real credentials.
Exposure Rule
Treat any previously committed real environment value as exposed, even when the file has been removed from the current tree. Do not rewrite Git history as part of routine deployment verification, and do not paste old values into issues, docs, commits, chat, logs, screenshots, or support forms.
Rotation Categories
- Rotate admin and operator tokens.
- Rotate JWT or session secrets.
- Rotate snapshot signing private keys if they were ever committed.
- Rotate deployment tokens.
- Rotate webhook secrets.
- Rotate database and storage credentials.
- Rotate private infrastructure values.
Rotation Steps
- Update hosting provider secrets or secret-store entries outside Git.
- Update GitHub Actions secrets if those categories are used by workflows.
- Update server environment values outside Git.
- Redeploy the backend from the clean tree.
- Verify
/api/readinessand/api/deployment. - Verify admin-protected routes still reject unauthenticated requests.
- Confirm
backend/.envremains ignored and untracked. - Keep only placeholder examples such as
backend/.env.examplein Git.
Do Not Share
Do not commit real .env files. Do not paste secrets into issues, docs, commits, chat, logs, screenshots, support forms, or browser-visible pages. Public examples must use placeholders only.
Forum Tip Route Note
Direct /forum/tip/post and /forum/tip/reply are not usable public tip routes on the public origin, but currently return 405 HTML rather than JSON 410. The API routes return 410 with the retired-tipping code. This behavior is acceptable for now and should remain documented unless future backend routing cleanly normalizes it.