ai_qc

History

nickviljoen cfb13eb870 chore(secrets): untrack env files + add JWT path to .gitignore backend/config/development.env and backend/config/production.env were committed to the repo with real API keys, SMTP passwords, and Flask SECRET_KEY values. This commit: 1. Adds both files to .gitignore so future edits stop landing in git. 2. git rm --cached's them (local copies preserved on disk, just untracked). 3. Also pre-emptively adds backend/config/box_jwt_config.json to .gitignore — Phase 4 already gitignores it on a separate branch, but listing it here protects the file regardless of merge order. 4. Updates backend/config/.env.template with the new Box JWT-related vars (BOX_JWT_CONFIG_PATH, BOX_WEBHOOK_PRIMARY_KEY, BOX_WEBHOOK_SECONDARY_KEY) so the template is a complete reference for setting up a new environment from scratch. IMPORTANT — secrets still in git history after this commit. Removing them from history requires a destructive rewrite (git filter-repo + force-push every branch). Pragmatic alternative: rotate any secret that was ever in the files. Candidates: OPENAI_API_KEY, BOX_CLIENT_SECRET, SECRET_KEY, SMTP_PASSWORD. AZURE_TENANT_ID and AZURE_CLIENT_ID are public-ish identifiers and don't need rotating. GOOGLE_API_KEY just rotated this session. DEPLOY GOTCHA: deploy.sh does git reset --hard, which will delete the env files from /opt/ai_qc/backend/config/ on the server when this commit lands. Back them up before deploying, restore after: sudo cp /opt/ai_qc/backend/config/development.env /tmp/dev.env.bak # ...deploy... sudo cp /tmp/dev.env.bak /opt/ai_qc/backend/config/development.env sudo systemctl restart ai-qc.service Same dance on prod with production.env when promoting. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-14 23:13:18 +02:00
..
.env.template	chore(secrets): untrack env files + add JWT path to .gitignore	2026-05-14 23:13:18 +02:00

nickviljoen cfb13eb870 chore(secrets): untrack env files + add JWT path to .gitignore

backend/config/development.env and backend/config/production.env were
committed to the repo with real API keys, SMTP passwords, and Flask
SECRET_KEY values. This commit:

1. Adds both files to .gitignore so future edits stop landing in git.
2. git rm --cached's them (local copies preserved on disk, just
   untracked).
3. Also pre-emptively adds backend/config/box_jwt_config.json to
   .gitignore — Phase 4 already gitignores it on a separate branch, but
   listing it here protects the file regardless of merge order.
4. Updates backend/config/.env.template with the new Box JWT-related
   vars (BOX_JWT_CONFIG_PATH, BOX_WEBHOOK_PRIMARY_KEY,
   BOX_WEBHOOK_SECONDARY_KEY) so the template is a complete reference
   for setting up a new environment from scratch.

IMPORTANT — secrets still in git history after this commit. Removing
them from history requires a destructive rewrite (git filter-repo +
force-push every branch). Pragmatic alternative: rotate any secret
that was ever in the files. Candidates: OPENAI_API_KEY, BOX_CLIENT_SECRET,
SECRET_KEY, SMTP_PASSWORD. AZURE_TENANT_ID and AZURE_CLIENT_ID are
public-ish identifiers and don't need rotating. GOOGLE_API_KEY just
rotated this session.

DEPLOY GOTCHA: deploy.sh does git reset --hard, which will delete the
env files from /opt/ai_qc/backend/config/ on the server when this
commit lands. Back them up before deploying, restore after:

    sudo cp /opt/ai_qc/backend/config/development.env /tmp/dev.env.bak
    # ...deploy...
    sudo cp /tmp/dev.env.bak /opt/ai_qc/backend/config/development.env
    sudo systemctl restart ai-qc.service

Same dance on prod with production.env when promoting.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-14 23:13:18 +02:00

.env.template

chore(secrets): untrack env files + add JWT path to .gitignore

2026-05-14 23:13:18 +02:00