#!/usr/bin/env bash # Clean up secrets from documentation files # Replaces actual secret values with placeholders while preserving structure set -euo pipefail # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[✓]${NC} $1"; } log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; } log_error() { echo -e "${RED}[✗]${NC} $1"; } PROJECT_ROOT="${PROJECT_ROOT:-/home/intlc/projects/proxmox}" DRY_RUN="${DRY_RUN:-true}" # Files to exclude (our inventory docs should keep secrets for reference) EXCLUDE_PATTERNS=( "SECRETS_QUICK_REFERENCE.md" "MASTER_SECRETS_INVENTORY.md" "SECRETS_MIGRATION_SUMMARY.md" "SECURITY_AUDIT_REPORT.md" "SECRET_USAGE_PATTERNS.md" "ENV_SECRETS_AUDIT_REPORT.md" "REQUIRED_SECRETS_INVENTORY.md" "REQUIRED_SECRETS_SUMMARY.md" ) echo "═══════════════════════════════════════════════════════════" echo " Documentation Secrets Cleanup" echo "═══════════════════════════════════════════════════════════" echo "" log_info "Mode: $([ "$DRY_RUN" = "true" ] && echo "DRY RUN" || echo "LIVE")" echo "" # Secret replacement patterns declare -A REPLACEMENTS=( ["0x5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8"]="[PRIVATE_KEY_REDACTED]" ["5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8"]="[PRIVATE_KEY_REDACTED]" ["5e72443d6f357af402859433b115f5b7394786b2624a7cd7e670256a2467bd14"]="[PRIVATE_KEY_REDACTED]" ["JSEO_sruWB6lf1id77gtI7HOLVdhkhaR2goPEJIk"]="[CLOUDFLARE_API_TOKEN_REDACTED]" ["ce8219e321e1cd97bd590fb792d3caeb7e2e3b94ca7e20124acaf253f911ff72"]="[NPM_PASSWORD_HASH_REDACTED]" ["L@ker\$2010"]="[NPM_PASSWORD_REDACTED]" ["L@ker$2010"]="[NPM_PASSWORD_REDACTED]" ["L@kers2010"]="[UNIFI_PASSWORD_REDACTED]" ["L@kers2010\$\$"]="[UNIFI_PASSWORD_REDACTED]" ["L@kers2010$$"]="[UNIFI_PASSWORD_REDACTED]" ) # Find markdown files with secrets log_info "Scanning documentation files..." FILES_TO_CLEAN=() while IFS= read -r file; do # Check if file should be excluded skip=false for pattern in "${EXCLUDE_PATTERNS[@]}"; do if [[ "$file" == *"$pattern"* ]]; then skip=true break fi done if [ "$skip" = true ]; then continue fi # Check if file contains secrets for secret in "${!REPLACEMENTS[@]}"; do if grep -q "$secret" "$file" 2>/dev/null; then FILES_TO_CLEAN+=("$file") break fi done done < <(find "$PROJECT_ROOT/docs" -type f -name "*.md" 2>/dev/null || true) if [ ${#FILES_TO_CLEAN[@]} -eq 0 ]; then log_success "No documentation files found with secrets (excluding inventory docs)" exit 0 fi echo "Found ${#FILES_TO_CLEAN[@]} file(s) with secrets:" for file in "${FILES_TO_CLEAN[@]}"; do echo " - $file" done echo "" if [ "$DRY_RUN" = "true" ]; then log_warn "DRY RUN - No changes will be made" echo "" log_info "Would clean up secrets in:" for file in "${FILES_TO_CLEAN[@]}"; do log_info " $file" done echo "" log_info "To perform cleanup, run:" log_info " DRY_RUN=false $0" else log_info "Cleaning up secrets..." for file in "${FILES_TO_CLEAN[@]}"; do log_info "Processing: $file" # Create backup cp "$file" "${file}.backup.$(date +%Y%m%d_%H%M%S)" # Replace secrets for secret in "${!REPLACEMENTS[@]}"; do replacement="${REPLACEMENTS[$secret]}" # Escape special characters for sed escaped_secret=$(printf '%s\n' "$secret" | sed 's/[[\.*^$()+?{|]/\\&/g') sed -i "s|$escaped_secret|$replacement|g" "$file" done log_success " Cleaned: $file" done log_success "Cleanup complete!" log_info "Backups created with .backup.* suffix" fi echo "" echo "═══════════════════════════════════════════════════════════"