Merge pull request 'security: tighten gitleaks regex + document history-purge audit trail' (#14 ) from devin/1776542851-harden-gitleaks-and-document-purge into master

security: tighten gitleaks regex for escaped form, document history-purge audit trail
Two small follow-ups to the out-of-band git-history rewrite that purged L@ker$2010 / L@kers2010 / L@ker\$2010 from every branch and tag: .gitleaks.toml: - Regex was L@kers?\$?2010 which catches the expanded form but NOT the shell-escaped form (L@ker\$2010) that slipped past PR #3 in scripts/setup-database.sh. PR #13 fixed the live leak but did not tighten the detector. New regex L@kers?\\?\$?2010 catches both forms so future pastes of either form fail CI. - Description rewritten without the literal password (the previous description was redacted by the history rewrite itself and read 'Legacy hardcoded ... (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)' which was cryptic). docs/SECURITY.md: - New 'History-purge audit trail' section recording what was done, how it was verified (0 literal password matches in any blob or commit message; 0 legacy-password findings from a post-rewrite gitleaks scan), and what operator cleanup is still required on the Gitea host to drop the 13 refs/pull/*/head refs that still pin the pre-rewrite commits (the update hook declined those refs over HTTPS, so only an admin on the Gitea VM can purge them via 'git update-ref -d' + 'git gc --prune=now' in the bare repo). - New 'Re-introduction guard' subsection pointing at the tightened regex and commit 78e1ff5. Verification: gitleaks detect --no-git --source . --config .gitleaks.toml # 0 legacy hits git log --all -p | grep -cE 'L@ker\$2010|L@kers2010' # 0
2026-04-18 20:08:58 +00:00 · 2026-04-18 20:08:13 +00:00 · 2026-04-18 20:02:37 +00:00
2 changed files with 54 additions and 2 deletions
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -12,8 +12,8 @@ useDefault = true
 [[rules]]
 id = "explorer-legacy-db-password-L@ker"
-description = "Legacy hardcoded Postgres / SSH password (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)"
+description = "Legacy hardcoded Postgres / SSH password (redacted). Matches both the expanded form and the shell-escaped form (backslash-dollar) that appeared in scripts/setup-database.sh."
-regex = '''L@kers?\$?2010'''
+regex = '''L@kers?\\?\$?2010'''
 tags = ["password", "explorer-legacy"]
 [allowlist]
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -63,6 +63,58 @@ initial public review.
   - Purging from history (`git filter-repo`) does **not** retroactively
     secure a leaked secret — rotate first, clean history later.
 ## History-purge audit trail
 Following the rotation checklist above, the legacy `L@ker$2010` /
 `L@kers2010` / `L@ker\$2010` password strings were purged from every
 branch and tag in this repository using `git filter-repo
 --replace-text` followed by a `--replace-message` pass for commit
 message text. The rewritten history was force-pushed with
 `git push --mirror --force`.
 Verification post-rewrite:
 ```
 git log --all -p | grep -cE 'L@ker\$2010|L@kers2010|L@ker\\\$2010'
 0
 gitleaks detect --no-git --source . --config .gitleaks.toml
 0 legacy-password findings
 ```
 ### Residual server-side state (not purgable from the client)
 Gitea's `refs/pull/*/head` refs (the read-only mirror of each PR's
 original head commit) **cannot be force-updated over HTTPS** — the
 server's `update` hook declines them. After a history rewrite the
 following cleanup must be performed **on the Gitea host** by an
 administrator:
 1. Run `gitea admin repo-sync-release-archive` and
   `gitea doctor --run all --fix` if available.
 2. Or manually, as the gitea user on the server:
   ```bash
   cd /var/lib/gitea/data/gitea-repositories/d-bis/explorer-monorepo.git
   git for-each-ref --format='%(refname)' 'refs/pull/*/head' | \
       xargs -n1 git update-ref -d
   git gc --prune=now --aggressive
   ```
 3. Restart Gitea.
 Until this server-side cleanup is performed, the 13 `refs/pull/*/head`
 refs still pin the pre-rewrite commits containing the legacy
 password. This does not affect branches, the default clone, or
 `master` — but the old commits remain reachable by SHA through the
 Gitea web UI (e.g. on the merged PR's **Files Changed** tab).
 ### Re-introduction guard
 The `.gitleaks.toml` rule `explorer-legacy-db-password-L@ker` was
 tightened from `L@kers?\$?2010` to `L@kers?\\?\$?2010` so it also
 catches the shell-escaped form that slipped past the original PR #3
 scrub (see commit `78e1ff5`). Future attempts to paste any variant of
 the legacy password — in source, shell scripts, or env files — will
 fail the `gitleaks` CI job wired in PR #5.
 ## Build-time / CI checks (wired in PR #5)
 - `gitleaks` pre-commit + CI gate on every PR.
Author	SHA1	Message	Date
nsatoshi	fe9edd842b	Merge pull request 'security: tighten gitleaks regex + document history-purge audit trail' (#14 ) from devin/1776542851-harden-gitleaks-and-document-purge into master Some checks failed CI / Backend (go 1.23.x) (push) Successful in 51s Details CI / Backend security scanners (push) Failing after 45s Details CI / Frontend (node 20) (push) Successful in 2m5s Details CI / gitleaks (secret scan) (push) Failing after 7s Details e2e-full / e2e-full (push) Failing after 17s Details	2026-04-18 20:08:58 +00:00
Devin	fdb14dc420	security: tighten gitleaks regex for escaped form, document history-purge audit trail Some checks failed CI / Backend (go 1.23.x) (pull_request) Successful in 56s Details CI / Backend security scanners (pull_request) Failing after 40s Details CI / Frontend (node 20) (pull_request) Successful in 2m19s Details CI / gitleaks (secret scan) (pull_request) Failing after 7s Details e2e-full / e2e-full (pull_request) Has been skipped Details Two small follow-ups to the out-of-band git-history rewrite that purged L@ker$2010 / L@kers2010 / L@ker\$2010 from every branch and tag: .gitleaks.toml: - Regex was L@kers?\$?2010 which catches the expanded form but NOT the shell-escaped form (L@ker\$2010) that slipped past PR #3 in scripts/setup-database.sh. PR #13 fixed the live leak but did not tighten the detector. New regex L@kers?\\?\$?2010 catches both forms so future pastes of either form fail CI. - Description rewritten without the literal password (the previous description was redacted by the history rewrite itself and read 'Legacy hardcoded ... (*REDACTED-LEGACY-PW* / *REDACTED-LEGACY-PW)' which was cryptic). docs/SECURITY.md: - New 'History-purge audit trail' section recording what was done, how it was verified (0 literal password matches in any blob or commit message; 0 legacy-password findings from a post-rewrite gitleaks scan), and what operator cleanup is still required on the Gitea host to drop the 13 refs/pull//head refs that still pin the pre-rewrite commits (the update hook declined those refs over HTTPS, so only an admin on the Gitea VM can purge them via 'git update-ref -d' + 'git gc --prune=now' in the bare repo). - New 'Re-introduction guard' subsection pointing at the tightened regex and commit `78e1ff5`. Verification: gitleaks detect --no-git --source . --config .gitleaks.toml # 0 legacy hits git log --all -p \| grep -cE 'L@ker\$2010\|L@kers2010' # 0	2026-04-18 20:08:13 +00:00
nsatoshi	7c018965eb	Merge pull request 'fix(scripts): require DB_PASSWORD env var in setup-database.sh' (#13 ) from devin/1776542488-fix-setup-database-hardcoded-password into master Some checks failed CI / Backend (go 1.23.x) (push) Has been cancelled Details CI / Backend security scanners (push) Has been cancelled Details CI / Frontend (node 20) (push) Has been cancelled Details CI / gitleaks (secret scan) (push) Has been cancelled Details	2026-04-18 20:02:37 +00:00