From fdb14dc4207a5b3ba4d1c3a2320518e97fae6857 Mon Sep 17 00:00:00 2001
From: Devin <nsatoshi2007@hotmail.com>
Date: Sat, 18 Apr 2026 20:08:13 +0000
Subject: [PATCH] security: tighten gitleaks regex for escaped form, document
 history-purge audit trail

Two small follow-ups to the out-of-band git-history rewrite that
purged L@ker$2010 / L@kers2010 / L@ker\$2010 from every branch and
tag:

.gitleaks.toml:
  - Regex was L@kers?\$?2010 which catches the expanded form but
    NOT the shell-escaped form (L@ker\$2010) that slipped past PR #3
    in scripts/setup-database.sh. PR #13 fixed the live leak but did
    not tighten the detector. New regex L@kers?\\?\$?2010 catches
    both forms so future pastes of either form fail CI.
  - Description rewritten without the literal password (the previous
    description was redacted by the history rewrite itself and read
    'Legacy hardcoded ... (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)'
    which was cryptic).

docs/SECURITY.md:
  - New 'History-purge audit trail' section recording what was done,
    how it was verified (0 literal password matches in any blob or
    commit message; 0 legacy-password findings from a post-rewrite
    gitleaks scan), and what operator cleanup is still required on
    the Gitea host to drop the 13 refs/pull/*/head refs that still
    pin the pre-rewrite commits (the update hook declined those refs
    over HTTPS, so only an admin on the Gitea VM can purge them via
    'git update-ref -d' + 'git gc --prune=now' in the bare repo).
  - New 'Re-introduction guard' subsection pointing at the tightened
    regex and commit 78e1ff5.

Verification:
  gitleaks detect --no-git --source . --config .gitleaks.toml   # 0 legacy hits
  git log --all -p | grep -cE 'L@ker\$2010|L@kers2010'         # 0
---
 .gitleaks.toml   |  4 ++--
 docs/SECURITY.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/.gitleaks.toml b/.gitleaks.toml
index bcd24a6..e41b8ef 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -12,8 +12,8 @@ useDefault = true
 
 [[rules]]
 id = "explorer-legacy-db-password-L@ker"
-description = "Legacy hardcoded Postgres / SSH password (***REDACTED-LEGACY-PW*** / ***REDACTED-LEGACY-PW***)"
-regex = '''L@kers?\$?2010'''
+description = "Legacy hardcoded Postgres / SSH password (redacted). Matches both the expanded form and the shell-escaped form (backslash-dollar) that appeared in scripts/setup-database.sh."
+regex = '''L@kers?\\?\$?2010'''
 tags = ["password", "explorer-legacy"]
 
 [allowlist]
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index 457d31d..1ba1ec6 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -63,6 +63,58 @@ initial public review.
    - Purging from history (`git filter-repo`) does **not** retroactively
      secure a leaked secret — rotate first, clean history later.
 
+## History-purge audit trail
+
+Following the rotation checklist above, the legacy `L@ker$2010` /
+`L@kers2010` / `L@ker\$2010` password strings were purged from every
+branch and tag in this repository using `git filter-repo
+--replace-text` followed by a `--replace-message` pass for commit
+message text. The rewritten history was force-pushed with
+`git push --mirror --force`.
+
+Verification post-rewrite:
+
+```
+git log --all -p | grep -cE 'L@ker\$2010|L@kers2010|L@ker\\\$2010'
+0
+gitleaks detect --no-git --source . --config .gitleaks.toml
+0 legacy-password findings
+```
+
+### Residual server-side state (not purgable from the client)
+
+Gitea's `refs/pull/*/head` refs (the read-only mirror of each PR's
+original head commit) **cannot be force-updated over HTTPS** — the
+server's `update` hook declines them. After a history rewrite the
+following cleanup must be performed **on the Gitea host** by an
+administrator:
+
+1. Run `gitea admin repo-sync-release-archive` and
+   `gitea doctor --run all --fix` if available.
+2. Or manually, as the gitea user on the server:
+   ```bash
+   cd /var/lib/gitea/data/gitea-repositories/d-bis/explorer-monorepo.git
+   git for-each-ref --format='%(refname)' 'refs/pull/*/head' | \
+       xargs -n1 git update-ref -d
+   git gc --prune=now --aggressive
+   ```
+3. Restart Gitea.
+
+Until this server-side cleanup is performed, the 13 `refs/pull/*/head`
+refs still pin the pre-rewrite commits containing the legacy
+password. This does not affect branches, the default clone, or
+`master` — but the old commits remain reachable by SHA through the
+Gitea web UI (e.g. on the merged PR's **Files Changed** tab).
+
+### Re-introduction guard
+
+The `.gitleaks.toml` rule `explorer-legacy-db-password-L@ker` was
+tightened from `L@kers?\$?2010` to `L@kers?\\?\$?2010` so it also
+catches the shell-escaped form that slipped past the original PR #3
+scrub (see commit `78e1ff5`). Future attempts to paste any variant of
+the legacy password — in source, shell scripts, or env files — will
+fail the `gitleaks` CI job wired in PR #5.
+
 ## Build-time / CI checks (wired in PR #5)
 
 - `gitleaks` pre-commit + CI gate on every PR.
-- 
2.34.1