security: rotate bootstrap and clean workspace

2026-03-13 12:14:37 +03:00
parent 03a90f58bd
commit feb07bf366
10 changed files with 219 additions and 21 deletions
--- a/docs/installation.md
+++ b/docs/installation.md
@@ -234,10 +234,12 @@ source .venv/bin/activate
 python src/scripts/init_auth_db.py
 ```

+При первом запуске скрипт создаёт `backend/.env` и записывает туда `ENCRYPTION_KEY`, если ключ не был задан через окружение заранее.
+
 ### 2. Создание администратора

 ```bash
-python src/scripts/create_admin.py --username admin --password admin
+python src/scripts/create_admin.py --username admin --password '<strong-temporary-secret>'
 ```

 **Важно**: После создания администратора измените пароль в продакшн-среде!
--- a/docs/security-remediation.md
+++ b/docs/security-remediation.md
@@ -0,0 +1,57 @@
+# Security Remediation
+
+## Immediate actions
+
+1. Revoke and rotate any Gitea PAT previously stored in `backend/mappings.db`.
+2. Rotate any secrets encrypted with historical `ENCRYPTION_KEY` values.
+3. Reset affected local admin/test credentials if they ever existed outside disposable dev environments.
+
+## Purge git history
+
+The repository history contains binary databases with sensitive data. Rewrite history before treating the repository as clean.
+
+Recommended targets:
+
+- `backend/mappings.db`
+- `backend/tasks.db`
+- `backend/auth.db`
+- `backend/backend/auth.db`
+- `backend/test_auth_debug.py`
+- `backend/test_decryption.py`
+- `backend/test_encryption.py`
+
+Example with `git filter-repo`:
+
+```bash
+git filter-repo \
+  --invert-paths \
+  --path backend/mappings.db \
+  --path backend/tasks.db \
+  --path backend/auth.db \
+  --path backend/backend/auth.db \
+  --path backend/test_auth_debug.py \
+  --path backend/test_decryption.py \
+  --path backend/test_encryption.py
+```
+
+After rewrite:
+
+```bash
+git for-each-ref --format='delete %(refname)' refs/original | git update-ref --stdin
+git reflog expire --expire=now --all
+git gc --prune=now --aggressive
+git push --force --all
+git push --force --tags
+```
+
+Everyone with old clones must re-clone or hard-reset to the rewritten history.
+
+## Ongoing checks
+
+Run:
+
+```bash
+./scripts/scan_secrets.sh
+```
+
+before release and before pushing history-rewrite results.