3 Commits

Author SHA1 Message Date
0e9332f055 Merge pull request 'chore(security): purge burned Guardian literal from dev/test config (Phase 4)' (#2) from purge/guardian-dev-literal into main 2026-06-21 01:44:52 +00:00
25c6cb705d chore(security): purge burned Guardian literal from dev/test config (Phase 4)
Replace the compromised committed Guardian secret with an obviously-fake
dev-only value. Prod reads GUARDIAN_SECRET_KEY from env and raises (Phase 1,
already merged); this removes the dead literal from the repo entirely.
Ref: arcadia-core/docs/GUARDIAN_SECRET_ROTATION.md Phase 4.
2026-06-21 11:29:12 +10:00
fad93b04d6 Merge pull request 'fix(security): wire Guardian secret_key (raise in prod)' (#1) from fix/audit-security-blockers into main 2026-06-21 01:15:21 +00:00
2 changed files with 2 additions and 2 deletions

View File

@@ -25,7 +25,7 @@ config :arcadia_cloud, ArcadiaCloudWeb.Endpoint,
# Guardian — must match arcadia-core's Arcadia.Guardian dev secret_key # Guardian — must match arcadia-core's Arcadia.Guardian dev secret_key
# (shared verbatim with arcadia-social and arcadia-voice). # (shared verbatim with arcadia-social and arcadia-voice).
config :arcadia_cloud, ArcadiaCloud.Guardian, config :arcadia_cloud, ArcadiaCloud.Guardian,
secret_key: "DuMkIRN3Qcxk8VqOu8nHj5i7a7a7YgBHF4oXqKwDI4A=" secret_key: "dev-only-guardian-secret-not-for-production-aaaaaaaaaaaaaaaa="
# skyai-finance push — service-to-service identity for cloud invoice push. # skyai-finance push — service-to-service identity for cloud invoice push.
# tenant_id="platform-admin" lands invoices in the platform's own books; # tenant_id="platform-admin" lands invoices in the platform's own books;

View File

@@ -32,7 +32,7 @@ config :arcadia_cloud, ArcadiaCloud.Guardian,
System.get_env("GUARDIAN_SECRET_KEY") || System.get_env("GUARDIAN_SECRET_KEY") ||
if(config_env() == :prod, if(config_env() == :prod,
do: raise("environment variable GUARDIAN_SECRET_KEY is missing"), do: raise("environment variable GUARDIAN_SECRET_KEY is missing"),
else: "DuMkIRN3Qcxk8VqOu8nHj5i7a7a7YgBHF4oXqKwDI4A=" else: "dev-only-guardian-secret-not-for-production-aaaaaaaaaaaaaaaa="
) )
if config_env() == :prod do if config_env() == :prod do