# Security Remediation

## Immediate actions

1. Revoke and rotate any Gitea PAT previously stored in `backend/mappings.db`.
2. Rotate any secrets encrypted with historical `ENCRYPTION_KEY` values.
3. Reset affected local admin/test credentials if they ever existed outside disposable dev environments.

## Purge git history

The repository history contains binary databases with sensitive data. Rewrite history before treating the repository as clean.

Recommended targets:

- `backend/mappings.db`
- `backend/tasks.db`
- `backend/auth.db`
- `backend/backend/auth.db`
- `backend/test_auth_debug.py`
- `backend/test_decryption.py`
- `backend/test_encryption.py`

Example with `git filter-repo`:

```bash
git filter-repo \
  --invert-paths \
  --path backend/mappings.db \
  --path backend/tasks.db \
  --path backend/auth.db \
  --path backend/backend/auth.db \
  --path backend/test_auth_debug.py \
  --path backend/test_decryption.py \
  --path backend/test_encryption.py
```

After rewrite:

```bash
git for-each-ref --format='delete %(refname)' refs/original | git update-ref --stdin
git reflog expire --expire=now --all
git gc --prune=now --aggressive
git push --force --all
git push --force --tags
```

Everyone with old clones must re-clone or hard-reset to the rewritten history.

## Ongoing checks

Run:

```bash
./scripts/scan_secrets.sh
```

before release and before pushing history-rewrite results.