From 803b389f6b4a3570bdf50f023b4621dfa22a949a Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 20 Apr 2026 04:22:58 +0800 Subject: [PATCH] =?UTF-8?q?security(secrets):=20=E6=9B=BF=E6=8F=9B=20test?= =?UTF-8?q?=20fixture=20=E7=9C=9F=20TG=20bot=20token=20=E7=82=BA=E5=81=87?= =?UTF-8?q?=E5=80=BC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## 事件 aider-watch v1 session 把真 production TG bot token(NEMOTRON_BOT_TOKEN) 當成 test fixture 寫入下列 tracked 檔(均已 push Gitea): - apps/api/tests/test_secret_redactor.py - docs/superpowers/plans/2026-04-19-aider-watch.md (3 處) - docs/superpowers/plans/2026-04-20-aider-watch-v2.md 違反 feedback_secrets_leak_incidents_2026-04-18.md L2 零信任(source control 無 secrets)。 ## 處置 - 統帥決議:不撤銷 token(接受風險) - 替換為假值 111222333:A*35(明顯 placeholder,仍符合 redactor 判別格式) - 減少未來 search engine / fork 的暴露面(但 git history 仍存) ## 驗證 secret_redactor.py 8 個 test 全過,telegram regex 仍能辨識新假值格式。 ## P1 backlog - git history 清理(git filter-repo)需統帥批准 force push - pre-commit hook 防未來再洩(grep TG token 格式 / detect-secrets) Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/api/tests/test_secret_redactor.py | 2 +- docs/superpowers/plans/2026-04-19-aider-watch.md | 6 +++--- docs/superpowers/plans/2026-04-20-aider-watch-v2.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apps/api/tests/test_secret_redactor.py b/apps/api/tests/test_secret_redactor.py index 5544bd8e..9e77e89b 100644 --- a/apps/api/tests/test_secret_redactor.py +++ b/apps/api/tests/test_secret_redactor.py @@ -20,7 +20,7 @@ def test_google_key_redacted(): def test_telegram_bot_token_redacted(): - assert "" in redact("8474499448:AAFqu_i4-PN4zGFOK5ea8o0Ud56qqEtCMeI") + assert "" in redact("111222333:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") def test_aws_key_redacted(): diff --git a/docs/superpowers/plans/2026-04-19-aider-watch.md b/docs/superpowers/plans/2026-04-19-aider-watch.md index ab6f70db..c89a6138 100644 --- a/docs/superpowers/plans/2026-04-19-aider-watch.md +++ b/docs/superpowers/plans/2026-04-19-aider-watch.md @@ -340,7 +340,7 @@ def test_anthropic_key_redacted(): assert "" in redact("sk-ant-api03-abcDEF_123-xyz") def test_telegram_bot_token_redacted(): - assert "" in redact("8474499448:AAFqu_i4-PN4zGFOK5ea8o0Ud56qqEtCMeI") + assert "" in redact("111222333:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") def test_clean_text_passthrough(): s = "hello world, nothing secret here" @@ -348,7 +348,7 @@ def test_clean_text_passthrough(): def test_dict_recursive(): d = {"msg": "token=ghp_abcdef0123456789ABCDEFghijklmnopqrst", - "nested": {"tg": "8474499448:AAFqu_i4-PN4zGFOK5ea8o0Ud56qqEtCMeI"}} + "nested": {"tg": "111222333:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}} out = redact(d) assert "ghp_abcdef" not in str(out) assert "" in out["msg"] @@ -1861,7 +1861,7 @@ git commit -m "feat(install): one-shot installer" cat > ~/.aider-watch.env <<'EOF' # aider-watch secrets | 2026-04-19 @ Asia/Taipei AIDER_WATCH_DATABASE_URL=postgresql://aider_watch:@192.168.0.188:5432/aider_watch -AIDER_WATCH_TELEGRAM_TOKEN=8474499448:AAFqu_i4-PN4zGFOK5ea8o0Ud56qqEtCMeI +AIDER_WATCH_TELEGRAM_TOKEN=111222333:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AIDER_WATCH_TELEGRAM_CHAT_ID=5619078117 AIDER_WATCH_HOSTNAME=ogt-mac EOF diff --git a/docs/superpowers/plans/2026-04-20-aider-watch-v2.md b/docs/superpowers/plans/2026-04-20-aider-watch-v2.md index 393d9872..d3bdf0e7 100644 --- a/docs/superpowers/plans/2026-04-20-aider-watch-v2.md +++ b/docs/superpowers/plans/2026-04-20-aider-watch-v2.md @@ -192,7 +192,7 @@ def test_google_key_redacted(): def test_telegram_bot_token_redacted(): - assert "" in redact("8474499448:AAFqu_i4-PN4zGFOK5ea8o0Ud56qqEtCMeI") + assert "" in redact("111222333:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") def test_aws_key_redacted():