chore(secrets): untrack env files + add JWT path to .gitignore
backend/config/development.env and backend/config/production.env were
committed to the repo with real API keys, SMTP passwords, and Flask
SECRET_KEY values. This commit:
1. Adds both files to .gitignore so future edits stop landing in git.
2. git rm --cached's them (local copies preserved on disk, just
untracked).
3. Also pre-emptively adds backend/config/box_jwt_config.json to
.gitignore — Phase 4 already gitignores it on a separate branch, but
listing it here protects the file regardless of merge order.
4. Updates backend/config/.env.template with the new Box JWT-related
vars (BOX_JWT_CONFIG_PATH, BOX_WEBHOOK_PRIMARY_KEY,
BOX_WEBHOOK_SECONDARY_KEY) so the template is a complete reference
for setting up a new environment from scratch.
IMPORTANT — secrets still in git history after this commit. Removing
them from history requires a destructive rewrite (git filter-repo +
force-push every branch). Pragmatic alternative: rotate any secret
that was ever in the files. Candidates: OPENAI_API_KEY, BOX_CLIENT_SECRET,
SECRET_KEY, SMTP_PASSWORD. AZURE_TENANT_ID and AZURE_CLIENT_ID are
public-ish identifiers and don't need rotating. GOOGLE_API_KEY just
rotated this session.
DEPLOY GOTCHA: deploy.sh does git reset --hard, which will delete the
env files from /opt/ai_qc/backend/config/ on the server when this
commit lands. Back them up before deploying, restore after:
sudo cp /opt/ai_qc/backend/config/development.env /tmp/dev.env.bak
# ...deploy...
sudo cp /tmp/dev.env.bak /opt/ai_qc/backend/config/development.env
sudo systemctl restart ai-qc.service
Same dance on prod with production.env when promoting.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
nickviljoen
parent
95121f2fb9
commit
cfb13eb870
4 changed files with 18 additions and 87 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
|
@ -74,3 +74,6 @@ backend/media_plans/
|
|||
backend/usage_logs/
|
||||
backend/user_access.json
|
||||
backend/box_tokens.json
|
||||
backend/config/development.env
|
||||
backend/config/production.env
|
||||
backend/config/box_jwt_config.json
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ SENDER_EMAIL=noreply@your-domain.com
|
|||
ERROR_EMAIL=admin@your-domain.com
|
||||
REPORT_EMAILS=admin@your-domain.com
|
||||
|
||||
# Box.com OAuth (per-creator user authentication for automation folders)
|
||||
# Box.com OAuth (per-creator user authentication — legacy/dormant scaffolding)
|
||||
# Register a Custom App with OAuth 2.0 (User Authentication) in Box Developer Console.
|
||||
# In the app's Configuration tab, add ALL the redirect URIs you'll use:
|
||||
# http://localhost:7183/auth/box/callback (local dev)
|
||||
|
|
@ -46,4 +46,17 @@ REPORT_EMAILS=admin@your-domain.com
|
|||
# to set BOX_REDIRECT_URI per server — uncomment only as an override.
|
||||
BOX_CLIENT_ID=your-box-client-id
|
||||
BOX_CLIENT_SECRET=your-box-client-secret
|
||||
# BOX_REDIRECT_URI=
|
||||
# BOX_REDIRECT_URI=
|
||||
|
||||
# Box.com JWT (service-account auth — used by /api/box/webhook for unattended QC)
|
||||
# Drop the JSON Box gives you for the "Custom App with Server Authentication (JWT)"
|
||||
# at backend/config/box_jwt_config.json (gitignored, scp'd onto each server).
|
||||
# Override the path with BOX_JWT_CONFIG_PATH if you store it elsewhere.
|
||||
# BOX_JWT_CONFIG_PATH=/opt/ai_qc/backend/config/box_jwt_config.json
|
||||
|
||||
# Box V2 webhook signing keys (one app-level pair, used by every webhook the
|
||||
# Custom App owns). Get them from Box Developer Console → Custom App → Webhooks
|
||||
# tab → "Manage Signature Keys". Both are valid simultaneously — Box uses a
|
||||
# rolling-rotate model so you can rotate one at a time without downtime.
|
||||
BOX_WEBHOOK_PRIMARY_KEY=
|
||||
BOX_WEBHOOK_SECONDARY_KEY=
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
# Development Environment Configuration
|
||||
# This file is used for local development testing
|
||||
|
||||
# OpenAI Configuration
|
||||
OPENAI_API_KEY=sk-svcacct-HSREzGYDnN-vCVGAh6LhYqlNcJVF2oefMrY9oCsdDsQFmyVJyHpLb1eSb_mp_vP4YPl4T3BlbkFJzKaOrPghIzx76_22K8VjwO6j2JnoDEvrYDrgfrnA4WjD5sTMnhOqGHXximwGXFhUoYgA
|
||||
GOOGLE_API_KEY=AIzaSyDMWN_PAnyU7bPmtWcEKq4LJfiu1KuwUsU
|
||||
|
||||
# Azure AD / MSAL Authentication Configuration (Development App Registration)
|
||||
# NOTE: You'll need to create a separate app registration for development
|
||||
AZURE_TENANT_ID=e519c2e6-bc6d-4fdf-8d9c-923c2f002385
|
||||
AZURE_CLIENT_ID=9079054c-9620-4757-a256-23413042f1ef
|
||||
AZURE_REDIRECT_URI=http://localhost:7183
|
||||
|
||||
# Flask Configuration
|
||||
FLASK_ENV=development
|
||||
SECRET_KEY=dev-secret-key-change-this-for-security
|
||||
DEBUG_MODE=true
|
||||
PORT=7183
|
||||
|
||||
# Application Configuration
|
||||
ENVIRONMENT=development
|
||||
BASE_URL=http://localhost:7183
|
||||
UPLOAD_FOLDER=uploads-dev
|
||||
OUTPUT_FOLDER=output-dev
|
||||
|
||||
# Development-specific settings
|
||||
LOG_LEVEL=DEBUG
|
||||
ENABLE_DEBUG_ENDPOINTS=true
|
||||
|
||||
# Mailgun / SMTP (for email notifications)
|
||||
SMTP_SERVER=smtp.mailgun.org
|
||||
SMTP_PORT=587
|
||||
SMTP_USER=twist@mail.dev.oliver.solutions
|
||||
SMTP_PASSWORD=102115e9f3b9d7332d0cd1d4329bc0d4-77751bfc-ca066b71
|
||||
SENDER_EMAIL=TWIST-UK-SERVER@oliver.agency
|
||||
ERROR_EMAIL=nick.viljoen@brandtech.plus
|
||||
REPORT_EMAILS=nick.viljoen@brandtech.plus
|
||||
|
||||
# Box.com OAuth (per-creator user authentication for automation folders)
|
||||
# Redirect URI is computed from each request — no need to hardcode it per server.
|
||||
# Set BOX_REDIRECT_URI here only as an override if request-based detection fails.
|
||||
BOX_CLIENT_ID=o9zxyl6j917q0bkndrwfi2x5zbdeanh5
|
||||
BOX_CLIENT_SECRET=yejdbWTeBOcdsDImpNQ7nvLJZad3e0Jm
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
# Production Environment Configuration
|
||||
# This file is used for production deployment on the web server
|
||||
|
||||
# OpenAI Configuration
|
||||
OPENAI_API_KEY=sk-svcacct-HSREzGYDnN-vCVGAh6LhYqlNcJVF2oefMrY9oCsdDsQFmyVJyHpLb1eSb_mp_vP4YPl4T3BlbkFJzKaOrPghIzx76_22K8VjwO6j2JnoDEvrYDrgfrnA4WjD5sTMnhOqGHXximwGXFhUoYgA
|
||||
GOOGLE_API_KEY=AIzaSyDMWN_PAnyU7bPmtWcEKq4LJfiu1KuwUsU
|
||||
|
||||
# Azure AD / MSAL Authentication Configuration (Production)
|
||||
AZURE_TENANT_ID=e519c2e6-bc6d-4fdf-8d9c-923c2f002385
|
||||
AZURE_CLIENT_ID=9079054c-9620-4757-a256-23413042f1ef
|
||||
AZURE_REDIRECT_URI=https://ai-sandbox.oliver.solutions/ai_qc/
|
||||
|
||||
# Flask Configuration
|
||||
FLASK_ENV=production
|
||||
SECRET_KEY=prod-ai-qc-oliver-solutions-2025-secure-key-9f8e7d6c5b4a3
|
||||
DEBUG_MODE=false
|
||||
PORT=7184
|
||||
|
||||
# Application Configuration
|
||||
ENVIRONMENT=production
|
||||
BASE_URL=https://ai-sandbox.oliver.solutions/ai_qc
|
||||
UPLOAD_FOLDER=uploads
|
||||
OUTPUT_FOLDER=output
|
||||
|
||||
# Production-specific settings
|
||||
LOG_LEVEL=INFO
|
||||
ENABLE_DEBUG_ENDPOINTS=false
|
||||
|
||||
# Mailgun / SMTP (for email notifications)
|
||||
SMTP_SERVER=smtp.mailgun.org
|
||||
SMTP_PORT=587
|
||||
SMTP_USER=twist@mail.dev.oliver.solutions
|
||||
SMTP_PASSWORD=102115e9f3b9d7332d0cd1d4329bc0d4-77751bfc-ca066b71
|
||||
SENDER_EMAIL=TWIST-UK-SERVER@oliver.agency
|
||||
ERROR_EMAIL=nick.viljoen@brandtech.plus
|
||||
REPORT_EMAILS=nick.viljoen@brandtech.plus
|
||||
|
||||
# Box.com OAuth (per-creator user authentication for automation folders)
|
||||
# Redirect URI is computed from each request — no need to hardcode it per server.
|
||||
# Set BOX_REDIRECT_URI here only as an override if request-based detection fails.
|
||||
BOX_CLIENT_ID=o9zxyl6j917q0bkndrwfi2x5zbdeanh5
|
||||
BOX_CLIENT_SECRET=yejdbWTeBOcdsDImpNQ7nvLJZad3e0Jm
|
||||
Loading…
Add table
Reference in a new issue