proxmox/scripts/cleanup-docs-secrets.sh

#!/bin/bash
# Clean up secrets from documentation files
# Replaces actual secret values with placeholders while preserving structure

set -euo pipefail

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
log_error() { echo -e "${RED}[✗]${NC} $1"; }

PROJECT_ROOT="${PROJECT_ROOT:-/home/intlc/projects/proxmox}"
DRY_RUN="${DRY_RUN:-true}"

# Files to exclude (our inventory docs should keep secrets for reference)
EXCLUDE_PATTERNS=(
    "SECRETS_QUICK_REFERENCE.md"
    "MASTER_SECRETS_INVENTORY.md"
    "SECRETS_MIGRATION_SUMMARY.md"
    "SECURITY_AUDIT_REPORT.md"
    "SECRET_USAGE_PATTERNS.md"
    "ENV_SECRETS_AUDIT_REPORT.md"
    "REQUIRED_SECRETS_INVENTORY.md"
    "REQUIRED_SECRETS_SUMMARY.md"
)

echo "═══════════════════════════════════════════════════════════"
echo "  Documentation Secrets Cleanup"
echo "═══════════════════════════════════════════════════════════"
echo ""

log_info "Mode: $([ "$DRY_RUN" = "true" ] && echo "DRY RUN" || echo "LIVE")"
echo ""

# Secret replacement patterns
declare -A REPLACEMENTS=(
    ["0x5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8"]="[PRIVATE_KEY_REDACTED]"
    ["5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8"]="[PRIVATE_KEY_REDACTED]"
    ["5e72443d6f357af402859433b115f5b7394786b2624a7cd7e670256a2467bd14"]="[PRIVATE_KEY_REDACTED]"
    ["JSEO_sruWB6lf1id77gtI7HOLVdhkhaR2goPEJIk"]="[CLOUDFLARE_API_TOKEN_REDACTED]"
    ["ce8219e321e1cd97bd590fb792d3caeb7e2e3b94ca7e20124acaf253f911ff72"]="[NPM_PASSWORD_HASH_REDACTED]"
    ["L@ker\$2010"]="[NPM_PASSWORD_REDACTED]"
    ["L@ker$2010"]="[NPM_PASSWORD_REDACTED]"
    ["L@kers2010"]="[UNIFI_PASSWORD_REDACTED]"
    ["L@kers2010\$\$"]="[UNIFI_PASSWORD_REDACTED]"
    ["L@kers2010$$"]="[UNIFI_PASSWORD_REDACTED]"
)

# Find markdown files with secrets
log_info "Scanning documentation files..."
FILES_TO_CLEAN=()

while IFS= read -r file; do
    # Check if file should be excluded
    skip=false
    for pattern in "${EXCLUDE_PATTERNS[@]}"; do
        if [[ "$file" == *"$pattern"* ]]; then
            skip=true
            break
        fi
    done
    
    if [ "$skip" = true ]; then
        continue
    fi
    
    # Check if file contains secrets
    for secret in "${!REPLACEMENTS[@]}"; do
        if grep -q "$secret" "$file" 2>/dev/null; then
            FILES_TO_CLEAN+=("$file")
            break
        fi
    done
done < <(find "$PROJECT_ROOT/docs" -type f -name "*.md" 2>/dev/null || true)

if [ ${#FILES_TO_CLEAN[@]} -eq 0 ]; then
    log_success "No documentation files found with secrets (excluding inventory docs)"
    exit 0
fi

echo "Found ${#FILES_TO_CLEAN[@]} file(s) with secrets:"
for file in "${FILES_TO_CLEAN[@]}"; do
    echo "  - $file"
done
echo ""

if [ "$DRY_RUN" = "true" ]; then
    log_warn "DRY RUN - No changes will be made"
    echo ""
    log_info "Would clean up secrets in:"
    for file in "${FILES_TO_CLEAN[@]}"; do
        log_info "  $file"
    done
    echo ""
    log_info "To perform cleanup, run:"
    log_info "  DRY_RUN=false $0"
else
    log_info "Cleaning up secrets..."
    
    for file in "${FILES_TO_CLEAN[@]}"; do
        log_info "Processing: $file"
        
        # Create backup
        cp "$file" "${file}.backup.$(date +%Y%m%d_%H%M%S)"
        
        # Replace secrets
        for secret in "${!REPLACEMENTS[@]}"; do
            replacement="${REPLACEMENTS[$secret]}"
            # Escape special characters for sed
            escaped_secret=$(printf '%s\n' "$secret" | sed 's/[[\.*^$()+?{|]/\\&/g')
            sed -i "s|$escaped_secret|$replacement|g" "$file"
        done
        
        log_success "  Cleaned: $file"
    done
    
    log_success "Cleanup complete!"
    log_info "Backups created with .backup.* suffix"
fi

echo ""
echo "═══════════════════════════════════════════════════════════"