security: remove admin credentials and internal docs from public repo

CRITICAL SECURITY FIX: - Removed ADMIN_LOGIN_INSTRUCTIONS.md (contained admin password) - Removed scripts/reset-admin-password.js (password reset utility) - Added both to .gitignore to prevent future exposure IMMEDIATE ACTIONS REQUIRED: 1. Rotate admin password on production (current password was exposed) 2. Consider purging these files from Git history if repo is public 3. Review all committed files for sensitive information These files should remain local-only and never be committed to version control. Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-20 21:02:45 +13:00 · 2025-10-20 21:02:45 +13:00 · 9540a75c13
commit 9540a75c13
parent 7ab96f15d2
3 changed files with 2 additions and 164 deletions
--- a/.gitignore
+++ b/.gitignore
@ -95,3 +95,5 @@ production.json
 Screenshot*.png
 *.screenshot.png
 umami-local/
 ADMIN_LOGIN_INSTRUCTIONS.md
 scripts/reset-admin-password.js
--- a/ADMIN_LOGIN_INSTRUCTIONS.md
+++ b/ADMIN_LOGIN_INSTRUCTIONS.md
@ -1,106 +0,0 @@
 # Admin Login Instructions
 **Date**: 2025-10-20
 ---
 ## ✅ ADMIN ACCESS CREDENTIALS
 **Login URL**: https://agenticgovernance.digital/admin/login.html
 **Credentials**:
 - **Email**: `admin@agenticgovernance.digital`
 - **Password**: `TractatusDev2025`
 **Status**: Password has been reset in production database and verified to match using bcrypt.compare()
 ---
 ## 🔍 TROUBLESHOOTING
 ### If Login Fails:
 1. **Check password is exactly**: `TractatusDev2025` (case-sensitive, no spaces)
 2. **Try alternative admin account**:
   - Email: `admin@tractatus.local`  
   - Password: May need reset (use script below)
 3. **Reset password again**:
   ```bash
   ssh -i ~/.ssh/tractatus_deploy ubuntu@vps-93a693da.vps.ovh.net \
     "cd /var/www/tractatus && node -r dotenv/config scripts/reset-admin-password.js 'YourNewPassword'"
   ```
 4. **Check server logs**:
   ```bash
   ssh -i ~/.ssh/tractatus_deploy ubuntu@vps-93a693da.vps.ovh.net \
     "sudo journalctl -u tractatus -f"
   ```
 ---
 ## 🎯 ADMIN DASHBOARD FEATURES
 Once logged in, you'll have access to:
 1. **/admin/dashboard.html** - Main admin dashboard
 2. **/admin/blog-curation.html** - Manage blog posts
 3. **/admin/newsletter-management.html** - Newsletter subscribers
 4. **/admin/media-triage.html** - Media inquiry responses
 5. **/admin/case-moderation.html** - Case study moderation
 6. **/admin/rule-manager.html** - Governance rules
 7. **/admin/project-manager.html** - Project tracking
 8. **/admin/hooks-dashboard.html** - Framework hooks metrics
 9. **/admin/audit-analytics.html** - System audit logs
 ---
 ## 🔧 PASSWORD RESET SCRIPT
 Location: `/home/theflow/projects/tractatus/scripts/reset-admin-password.js`
 **Local**:
 ```bash
 node scripts/reset-admin-password.js 'NewPassword'
 ```
 **Production**:
 ```bash
 ssh -i ~/.ssh/tractatus_deploy ubuntu@vps-93a693da.vps.ovh.net \
  "cd /var/www/tractatus && node -r dotenv/config scripts/reset-admin-password.js 'NewPassword'"
 ```
 ---
 ## ✅ VERIFICATION COMPLETED
 - ✅ Admin user exists in production database
 - ✅ Password successfully hashed with bcrypt (60 chars, starts with $2)
 - ✅ Password verification test passed: `bcrypt.compare('TractatusDev2025', hash) === true`
 - ✅ User is active: `active: true`
 - ✅ User has admin role: `role: 'admin'`
 ---
 ## 📋 NEXT STEPS IF STILL BLOCKED
 If you cannot log in with the above credentials, possible issues:
 1. **JWT_SECRET mismatch** - Check `.env` on production
 2. **CORS issue** - Check browser console for errors
 3. **Session cookie** - Clear browser cookies for agenticgovernance.digital
 4. **Rate limiting** - Wait 15 minutes if too many attempts (5 max per 15 min)
 **Browser Console Check**:
 1. Open https://agenticgovernance.digital/admin/login.html
 2. Open browser DevTools (F12)
 3. Go to Network tab
 4. Try logging in
 5. Check the `/api/auth/login` request/response for details
 ---
 **Last Password Reset**: 2025-10-20 07:57:37 UTC  
 **Verified Working**: bcrypt hash matches password in database  
 **Password**: `TractatusDev2025`
--- a/scripts/reset-admin-password.js
+++ b/scripts/reset-admin-password.js
@ -1,58 +0,0 @@
 #!/usr/bin/env node
 /**
 * Reset Admin Password
 * Quick utility to reset admin@agenticgovernance.digital password
 */
 require('dotenv').config();
 const bcrypt = require('bcrypt');
 const { connect, close, getCollection } = require('../src/utils/db.util');
 const NEW_PASSWORD = process.argv[2] || 'Tractatus@2025!';
 async function resetPassword() {
  try {
    console.log('🔐 Resetting admin password...');
    await connect();
    const users = await getCollection('users');
    // Find admin user
    const admin = await users.findOne({ email: 'admin@agenticgovernance.digital' });
    if (!admin) {
      console.error('❌ Admin user not found: admin@agenticgovernance.digital');
      process.exit(1);
    }
    console.log('✓ Admin user found');
    // Hash new password
    console.log('⏳ Hashing password...');
    const hashedPassword = await bcrypt.hash(NEW_PASSWORD, 10);
    // Update password
    console.log('⏳ Updating database...');
    await users.updateOne(
      { email: 'admin@agenticgovernance.digital' },
      { $set: { password: hashedPassword, updated_at: new Date() } }
    );
    console.log('\n✅ Password reset successfully!');
    console.log('\n📋 Admin Credentials:');
    console.log(`  Email:    admin@agenticgovernance.digital`);
    console.log(`  Password: ${NEW_PASSWORD}`);
    console.log('\n🌐 Login URL:');
    console.log('  https://agenticgovernance.digital/admin/login.html');
    console.log('');
  } catch (error) {
    console.error('❌ Error:', error.message);
    console.error(error.stack);
    process.exit(1);
  } finally {
    await close();
  }
 }
 resetPassword();