chore(security): purge burned Guardian literal from dev/test config (Phase 4)
Replace the compromised committed Guardian secret with an obviously-fake dev-only value. Prod reads GUARDIAN_SECRET_KEY from env and raises (Phase 1, already merged); this removes the dead literal from the repo entirely. Ref: arcadia-core/docs/GUARDIAN_SECRET_ROTATION.md Phase 4.
This commit is contained in:
@@ -25,7 +25,7 @@ config :arcadia_cloud, ArcadiaCloudWeb.Endpoint,
|
|||||||
# Guardian — must match arcadia-core's Arcadia.Guardian dev secret_key
|
# Guardian — must match arcadia-core's Arcadia.Guardian dev secret_key
|
||||||
# (shared verbatim with arcadia-social and arcadia-voice).
|
# (shared verbatim with arcadia-social and arcadia-voice).
|
||||||
config :arcadia_cloud, ArcadiaCloud.Guardian,
|
config :arcadia_cloud, ArcadiaCloud.Guardian,
|
||||||
secret_key: "DuMkIRN3Qcxk8VqOu8nHj5i7a7a7YgBHF4oXqKwDI4A="
|
secret_key: "dev-only-guardian-secret-not-for-production-aaaaaaaaaaaaaaaa="
|
||||||
|
|
||||||
# skyai-finance push — service-to-service identity for cloud invoice push.
|
# skyai-finance push — service-to-service identity for cloud invoice push.
|
||||||
# tenant_id="platform-admin" lands invoices in the platform's own books;
|
# tenant_id="platform-admin" lands invoices in the platform's own books;
|
||||||
|
|||||||
@@ -32,7 +32,7 @@ config :arcadia_cloud, ArcadiaCloud.Guardian,
|
|||||||
System.get_env("GUARDIAN_SECRET_KEY") ||
|
System.get_env("GUARDIAN_SECRET_KEY") ||
|
||||||
if(config_env() == :prod,
|
if(config_env() == :prod,
|
||||||
do: raise("environment variable GUARDIAN_SECRET_KEY is missing"),
|
do: raise("environment variable GUARDIAN_SECRET_KEY is missing"),
|
||||||
else: "DuMkIRN3Qcxk8VqOu8nHj5i7a7a7YgBHF4oXqKwDI4A="
|
else: "dev-only-guardian-secret-not-for-production-aaaaaaaaaaaaaaaa="
|
||||||
)
|
)
|
||||||
|
|
||||||
if config_env() == :prod do
|
if config_env() == :prod do
|
||||||
|
|||||||
Reference in New Issue
Block a user