security(secrets): 替換 test fixture 真 TG bot token 為假值
## 事件 aider-watch v1 session 把真 production TG bot token(NEMOTRON_BOT_TOKEN) 當成 test fixture 寫入下列 tracked 檔(均已 push Gitea): - apps/api/tests/test_secret_redactor.py - docs/superpowers/plans/2026-04-19-aider-watch.md (3 處) - docs/superpowers/plans/2026-04-20-aider-watch-v2.md 違反 feedback_secrets_leak_incidents_2026-04-18.md L2 零信任(source control 無 secrets)。 ## 處置 - 統帥決議:不撤銷 token(接受風險) - 替換為假值 111222333:A*35(明顯 placeholder,仍符合 redactor 判別格式) - 減少未來 search engine / fork 的暴露面(但 git history 仍存) ## 驗證 secret_redactor.py 8 個 test 全過,telegram regex 仍能辨識新假值格式。 ## P1 backlog - git history 清理(git filter-repo)需統帥批准 force push - pre-commit hook 防未來再洩(grep TG token 格式 / detect-secrets) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Your Name
@@ -20,7 +20,7 @@ def test_google_key_redacted():
|
||||
|
||||
|
||||
def test_telegram_bot_token_redacted():
|
||||
assert "<redacted:telegram>" in redact("8474499448:AAFqu_i4-PN4zGFOK5ea8o0Ud56qqEtCMeI")
|
||||
assert "<redacted:telegram>" in redact("111222333:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
|
||||
|
||||
|
||||
def test_aws_key_redacted():
|
||||
|
||||
@@ -340,7 +340,7 @@ def test_anthropic_key_redacted():
|
||||
assert "<redacted:anthropic>" in redact("sk-ant-api03-abcDEF_123-xyz")
|
||||
|
||||
def test_telegram_bot_token_redacted():
|
||||
assert "<redacted:telegram>" in redact("8474499448:AAFqu_i4-PN4zGFOK5ea8o0Ud56qqEtCMeI")
|
||||
assert "<redacted:telegram>" in redact("111222333:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
|
||||
|
||||
def test_clean_text_passthrough():
|
||||
s = "hello world, nothing secret here"
|
||||
@@ -348,7 +348,7 @@ def test_clean_text_passthrough():
|
||||
|
||||
def test_dict_recursive():
|
||||
d = {"msg": "token=ghp_abcdef0123456789ABCDEFghijklmnopqrst",
|
||||
"nested": {"tg": "8474499448:AAFqu_i4-PN4zGFOK5ea8o0Ud56qqEtCMeI"}}
|
||||
"nested": {"tg": "111222333:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}}
|
||||
out = redact(d)
|
||||
assert "ghp_abcdef" not in str(out)
|
||||
assert "<redacted:github>" in out["msg"]
|
||||
@@ -1861,7 +1861,7 @@ git commit -m "feat(install): one-shot installer"
|
||||
cat > ~/.aider-watch.env <<'EOF'
|
||||
# aider-watch secrets | 2026-04-19 @ Asia/Taipei
|
||||
AIDER_WATCH_DATABASE_URL=postgresql://aider_watch:<Task6產生的PW>@192.168.0.188:5432/aider_watch
|
||||
AIDER_WATCH_TELEGRAM_TOKEN=8474499448:AAFqu_i4-PN4zGFOK5ea8o0Ud56qqEtCMeI
|
||||
AIDER_WATCH_TELEGRAM_TOKEN=111222333:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AIDER_WATCH_TELEGRAM_CHAT_ID=5619078117
|
||||
AIDER_WATCH_HOSTNAME=ogt-mac
|
||||
EOF
|
||||
|
||||
@@ -192,7 +192,7 @@ def test_google_key_redacted():
|
||||
|
||||
|
||||
def test_telegram_bot_token_redacted():
|
||||
assert "<redacted:telegram>" in redact("8474499448:AAFqu_i4-PN4zGFOK5ea8o0Ud56qqEtCMeI")
|
||||
assert "<redacted:telegram>" in redact("111222333:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
|
||||
|
||||
|
||||
def test_aws_key_redacted():
|
||||
|
||||
Reference in New Issue
Block a user