# ⚠️ SECURITY NOTICE - .env Files Removed from Git

## What Happened

Multiple `.env` files containing potentially sensitive credentials were being tracked in git. These files have now been **removed from version control** but remain on your local filesystem.

## Files Removed from Git

The following files were removed from git tracking:

- `api/.env.development`
- `api/.env.production`
- `api/.env.staging`
- `apps/external/.env.production`
- `apps/main/.env.production`
- `apps/main/.env.staging`
- `backend/app/.env`
- `xtablo-expo/.env`

**Note:** The files still exist locally - they're just no longer tracked by git.

## Updated .gitignore

Both `.gitignore` files have been updated to prevent this in the future:

```gitignore
# Environment files
.env*
!.env.example
```

This will:
- ✅ Ignore all `.env*` files (`.env`, `.env.development`, `.env.production`, etc.)
- ✅ Allow `.env.example` files to be committed (they should contain no real secrets)

## ⚠️ IMPORTANT: Security Actions Required

### 1. Review Git History

The `.env` files may have been committed in the past with sensitive credentials. Check the git history:

```bash
# See when .env files were last committed
git log --all --full-history -- "**/.env*"

# View the contents of a specific commit (replace COMMIT_HASH)
git show COMMIT_HASH:api/.env.production
```

### 2. Rotate Compromised Credentials

If any of these files were committed with real credentials, you should **rotate those credentials immediately**:

#### For API secrets in `api/.env.*`:
- [ ] **Supabase**: Regenerate service role key (Supabase Dashboard → Settings → API)
- [ ] **Stripe**: Regenerate secret keys (Stripe Dashboard → Developers → API keys)
- [ ] **Stream Chat**: Regenerate API secret (Stream Dashboard)
- [ ] **Email OAuth**: Revoke and regenerate OAuth tokens (Google Cloud Console)
- [ ] **Cloudflare R2**: Regenerate access keys (Cloudflare Dashboard → R2 → Manage R2 API Tokens)

#### For frontend env files:
- [ ] Check if any sensitive keys were in `apps/main/.env.*` or `apps/external/.env.*`
- [ ] Regenerate any exposed publishable keys if necessary

### 3. Use Google Secret Manager for Production

Since you've just set up Google Secret Manager, move your production secrets there:

```bash
# Migrate production secrets to Google Secret Manager
cd api
./scripts/migrate-env-to-secrets.sh .env.production your-gcp-project-id

# Verify they were created
./scripts/verify-secrets.sh your-gcp-project-id
```

After migrating:
- Delete the local `.env.production` file (or remove all sensitive values)
- Use `.env.example` as a template for what should be configured

### 4. Clean Git History (Optional but Recommended)

If sensitive credentials were committed, consider cleaning the git history. **Warning: This is destructive and requires team coordination.**

```bash
# Option A: Using BFG Repo-Cleaner (recommended)
# Download from: https://rtyley.github.io/bfg-repo-cleaner/
java -jar bfg.jar --delete-files .env.* --no-blob-protection
git reflog expire --expire=now --all
git gc --prune=now --aggressive

# Option B: Using git-filter-repo
# Install: pip install git-filter-repo
git filter-repo --path-glob '**/.env.*' --invert-paths

# After either option, force push (coordinate with team first!)
git push origin --force --all
```

**Important:** Cleaning git history will:
- Rewrite all commit hashes
- Require all team members to re-clone the repository
- Break any external references to commits (PRs, issues, etc.)

Only do this if:
1. You've confirmed sensitive credentials were committed
2. You've rotated all those credentials
3. You've coordinated with your team

### 5. Prevent Future Issues

**Best Practices:**

1. **Always use `.env.example`** files (committed) with placeholder values:
   ```bash
   # .env.example
   STRIPE_SECRET_KEY=sk_test_REPLACE_ME
   SUPABASE_SERVICE_ROLE_KEY=REPLACE_WITH_YOUR_KEY
   ```

2. **Never commit actual `.env` files** - they're now in `.gitignore`

3. **Use Google Secret Manager** for production/staging environments

4. **Review files before committing:**
   ```bash
   git status
   git diff --cached
   ```

5. **Use pre-commit hooks** to prevent accidental commits:
   ```bash
   # Install pre-commit: https://pre-commit.com/
   # Add a hook to check for secrets
   ```

## Current Status

✅ `.env` files removed from git tracking  
✅ `.gitignore` updated to prevent future commits  
✅ Local `.env` files preserved (still work for development)  
⚠️ Files staged for removal (need to commit)  

## Next Steps

1. **Review this security notice carefully**
2. **Check git history** for exposed credentials
3. **Rotate any exposed credentials** 
4. **Commit the changes:**
   ```bash
   git add .gitignore
   git commit -m "security: Remove .env files from git and update .gitignore"
   ```
5. **Push the changes** (after rotating credentials if needed)
6. **Migrate production secrets** to Google Secret Manager

## Questions or Concerns?

If you have questions about:
- What credentials might be exposed
- How to rotate specific credentials
- Cleaning git history
- Setting up Google Secret Manager

Please refer to:
- `docs/GOOGLE_SECRET_MANAGER_SETUP.md` - For Secret Manager setup
- `api/GOOGLE_SECRET_MANAGER.md` - Quick reference
- Your cloud provider's documentation for credential rotation

---

**Generated:** 2025-11-03  
**Action Required:** See checklist above