fix(security): comprehensive security incident response for API key exposure
INCIDENT SUMMARY:
- Date: 2025-10-21
- Severity: CRITICAL → MEDIUM (credential revoked before exploitation)
- Exposed: Anthropic API key (ID 5043627, name: family-history-ocr)
- Location: docs/STRIPE_LIVE_MODE_DEPLOYMENT.md (commit 31345d5c)
- Detection: GitHub secret scanning (automatic)
- Revocation: Anthropic (automatic, within hours)
- Financial Impact: $0 (no unauthorized usage)
ROOT CAUSE - 5 FAILURE POINTS:
1. No credential redaction in documentation (PREVENTION)
2. Framework fade - BoundaryEnforcer not used (ENFORCEMENT)
3. No pre-commit secret detection (DETECTION)
4. No credential audit in pre-deployment checklist (MITIGATION)
5. Single-layer security model, not defense-in-depth (ARCHITECTURAL)
NEW GOVERNANCE RULES:
- inst_069: Credential Handling in Documentation (SYSTEM, HIGH, PERMANENT)
- Requires ALL credentials redacted with example-only values
- Patterns: sk-ant-api03-EXAMPLE-REDACTED, sk_live_EXAMPLE_REDACTED
- Mandatory secret detection scan before commits
- inst_070: Pre-Commit Secret Detection (SYSTEM, HIGH, PERMANENT)
- Requires gitleaks or detect-secrets as pre-commit hook
- BLOCKS commits containing secrets
- False positives require user approval + documentation
- inst_071: Enhanced Pre-Deployment Checklist (OPERATIONAL, HIGH, PERMANENT)
- Replaces inst_054 with 8 steps including secret detection
- Step 2: gitleaks detect --source .
- Step 3: Credential audit (grep for sk-, pk-, secret, password)
- Step 8: Public repository content review
- inst_072: Assume Breach - Defense in Depth (STRATEGIC, HIGH, PERMANENT)
- Layer 1 - Prevention: Never commit credentials
- Layer 2 - Mitigation: Redact credentials in docs
- Layer 3 - Detection: Pre-commit secret scanning (automated)
- Layer 4 - Backstop: GitHub secret scanning
- Layer 5 - Recovery: Credential rotation procedures
DOCUMENTATION:
- SECURITY_INCIDENT_POST_MORTEM_2025-10-21.md (comprehensive analysis)
- SECURITY_INCIDENT_HUMAN_ACTIONS_REQUIRED.md (15-step action plan)
- scripts/install-gitleaks-hook.sh (automated installation)
- scripts/add-security-rules-2025-10-21.js (rules migration)
ADDITIONAL FINDINGS:
Comprehensive credential scan revealed additional exposed credentials in
internal repository (not public):
- Same Anthropic key in .env file
- Same key in internal docs/STRIPE_LIVE_MODE_DEPLOYMENT.md
- Stripe test keys in .env
- JWT production secret in .env
HUMAN ACTIONS REQUIRED:
1. Rotate Anthropic API key (CRITICAL)
2. Rotate JWT secret (CRITICAL)
3. Remove credentials from internal repository files
4. Install gitleaks pre-commit hook
5. Decide on git history cleanup (Option A/B/C)
VERSION UPDATE:
- instruction-history.json: 3.6 → 3.7
- Total rules: 68 → 72
- Active rules: 56 → 59
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
1044d217a8