From 25c6cb705de9db29d2a574a90820d0c728bdd665 Mon Sep 17 00:00:00 2001 From: Giuliano Silvestro Date: Sun, 21 Jun 2026 11:29:12 +1000 Subject: [PATCH] chore(security): purge burned Guardian literal from dev/test config (Phase 4) Replace the compromised committed Guardian secret with an obviously-fake dev-only value. Prod reads GUARDIAN_SECRET_KEY from env and raises (Phase 1, already merged); this removes the dead literal from the repo entirely. Ref: arcadia-core/docs/GUARDIAN_SECRET_ROTATION.md Phase 4. --- config/dev.exs | 2 +- config/runtime.exs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/dev.exs b/config/dev.exs index 9c858d7..94c0a54 100644 --- a/config/dev.exs +++ b/config/dev.exs @@ -25,7 +25,7 @@ config :arcadia_cloud, ArcadiaCloudWeb.Endpoint, # Guardian — must match arcadia-core's Arcadia.Guardian dev secret_key # (shared verbatim with arcadia-social and arcadia-voice). config :arcadia_cloud, ArcadiaCloud.Guardian, - secret_key: "DuMkIRN3Qcxk8VqOu8nHj5i7a7a7YgBHF4oXqKwDI4A=" + secret_key: "dev-only-guardian-secret-not-for-production-aaaaaaaaaaaaaaaa=" # skyai-finance push — service-to-service identity for cloud invoice push. # tenant_id="platform-admin" lands invoices in the platform's own books; diff --git a/config/runtime.exs b/config/runtime.exs index f4908b1..963a081 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -32,7 +32,7 @@ config :arcadia_cloud, ArcadiaCloud.Guardian, System.get_env("GUARDIAN_SECRET_KEY") || if(config_env() == :prod, do: raise("environment variable GUARDIAN_SECRET_KEY is missing"), - else: "DuMkIRN3Qcxk8VqOu8nHj5i7a7a7YgBHF4oXqKwDI4A=" + else: "dev-only-guardian-secret-not-for-production-aaaaaaaaaaaaaaaa=" ) if config_env() == :prod do