tractatus/SECURITY_INCIDENT_HUMAN_ACTIONS_REQUIRED.md

SECURITY INCIDENT - HUMAN ACTIONS REQUIRED

Date: 2025-10-21 Incident: Anthropic API Key Exposure + Additional Credentials Found Severity: CRITICAL Status: IMMEDIATE ACTION REQUIRED

---

EXECUTIVE SUMMARY

What Happened:

1. Anthropic API key exposed in public GitHub repository (tractatus-framework)
2. Key automatically revoked by Anthropic (good - their secret scanning worked)
3. Comprehensive scan revealed ADDITIONAL exposed credentials in internal repository

Credentials Found:

1. ✅ Anthropic API key (REVOKED by Anthropic)
2. ❌ SAME Anthropic key STILL in .env file (internal repo)
3. ❌ SAME Anthropic key STILL in docs/STRIPE_LIVE_MODE_DEPLOYMENT.md (internal repo)
4. ❌ Stripe TEST keys in .env (low risk, but still credentials)
5. ❌ JWT secret in .env (production secret)

Your Action: Follow checklist below IMMEDIATELY

---

CRITICAL - IMMEDIATE ACTIONS (Next 30 Minutes)

1. Rotate Anthropic API Key ✅ HIGHEST PRIORITY

Why: Same key that was exposed publicly is STILL in internal repository

Actions:

1. Login to Anthropic Console: https://platform.claude.com/settings/keys
2. Verify key [REDACTED - key rotated 2025-10-21] is revoked
   • Key ID: 5043627
   • Key Name: family-history-ocr
   • Status should show: REVOKED
3. Create NEW API key:
   • Name: tractatus-production-2025-10-21 (or similar)
   • Description: "Replaces compromised key family-history-ocr"
   • Copy new key (starts with sk-ant-api03-)
4. Update .env file:

   # Open .env file
   nano /home/theflow/projects/tractatus/.env
   
   # Replace OLD key with NEW key:
   # OLD: CLAUDE_API_KEY=[REDACTED - key rotated 2025-10-21]
   # NEW: CLAUDE_API_KEY=sk-ant-api03-YOUR_NEW_KEY_HERE
   
   # Save and exit (Ctrl+X, Y, Enter)
   

5. Test new key:

   curl https://api.anthropic.com/v1/messages \
     --header "x-api-key: sk-ant-api03-YOUR_NEW_KEY_HERE" \
     --header "anthropic-version: 2023-06-01" \
     --header "content-type: application/json" \
     --data '{"model": "claude-sonnet-4-5-20250929", "max_tokens": 10, "messages": [{"role": "user", "content": "test"}]}'
   
   # Should return valid response (not 401 error)
   

Verification: New key works, old key definitely revoked

---

2. Remove Exposed Key from Documentation ✅ CRITICAL

Why: docs/STRIPE_LIVE_MODE_DEPLOYMENT.md contains the SAME exposed key

Actions:

# Edit the file
nano /home/theflow/projects/tractatus/docs/STRIPE_LIVE_MODE_DEPLOYMENT.md

# Find line with: CLAUDE_API_KEY=sk-ant-api03-_xmqWkax8jx...
# Replace with: CLAUDE_API_KEY=sk-ant-api03-EXAMPLE-REDACTED-NEVER-USE

# Save and exit

Alternative (automated):

sed -i 's/CLAUDE_API_KEY=sk-ant-api03-[a-zA-Z0-9_-]*/CLAUDE_API_KEY=sk-ant-api03-EXAMPLE-REDACTED-NEVER-USE/g' docs/STRIPE_LIVE_MODE_DEPLOYMENT.md

Verification: No real API keys in documentation

---

3. Rotate JWT Secret ✅ HIGH PRIORITY

Why: JWT secret in .env is production credential used for authentication

Current Secret (EXPOSED):

[REDACTED]

Actions:

1. Generate new JWT secret:

   # Generate secure random secret (64 bytes hex)
   openssl rand -hex 64
   
   # Copy the output
   

2. Update .env:

   nano .env
   
   # Replace:
   # OLD: JWT_SECRET=d4d9b5ac258123db...
   # NEW: JWT_SECRET=<paste_new_secret_here>
   
   # Save and exit
   

3. IMPORTANT: This will invalidate ALL existing JWT tokens
   • All users will need to re-login
   • Any admin sessions will be terminated
   • This is CORRECT behavior (invalidates potentially compromised sessions)

Verification: Server starts successfully with new JWT secret

---

4. Rotate Stripe Keys (OPTIONAL - Low Risk) ⚠️ MEDIUM PRIORITY

Why: Stripe TEST keys found in .env (not live keys, low financial risk)

Current Keys (TEST mode):

• Secret: sk_test_[REDACTED]
• Publishable: pk_test_[REDACTED]

Risk Assessment:

• These are TEST keys (sk_test_, pk_test_)
• No real money can be charged
• Still best practice to rotate

Actions (if you want to rotate):

1. Login to Stripe Dashboard: https://dashboard.stripe.com/test/apikeys
2. Roll secret key (this creates new key and invalidates old)
3. Copy new keys
4. Update .env:

   STRIPE_SECRET_KEY=sk_test_YOUR_NEW_SECRET_KEY
   STRIPE_PUBLISHABLE_KEY=pk_test_YOUR_NEW_PUBLISHABLE_KEY
   

Decision: Your call - test keys have low risk, but rotation is prudent

---

SECONDARY ACTIONS (Next 1-2 Hours)

5. Install Gitleaks (Secret Detection Tool)

Why: Prevents future credential exposure with automated pre-commit scanning

Installation (Linux):

# Download gitleaks
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.1/gitleaks_8.18.1_linux_x64.tar.gz

# Extract
tar -xzf gitleaks_8.18.1_linux_x64.tar.gz

# Move to /usr/local/bin
sudo mv gitleaks /usr/local/bin/

# Verify installation
gitleaks version

Installation (Mac - if applicable):

brew install gitleaks

Test:

# Scan repository
cd /home/theflow/projects/tractatus
gitleaks detect --source . --verbose

# Should detect credentials in .env, docs/STRIPE_LIVE_MODE_DEPLOYMENT.md

---

6. Create Git Pre-Commit Hook

Why: Blocks commits containing secrets BEFORE they reach git history

Actions:

# Navigate to repository
cd /home/theflow/projects/tractatus

# Create pre-commit hook
cat > .git/hooks/pre-commit << 'EOF'
#!/bin/bash

echo "🔍 Running secret detection scan..."
gitleaks detect --source . --verbose --no-git

if [ $? -ne 0 ]; then
  echo ""
  echo "❌ SECRETS DETECTED - Commit blocked"
  echo ""
  echo "If this is a false positive:"
  echo "  1. Verify it's NOT a real secret"
  echo "  2. Add to .gitleaksignore with explanation"
  echo "  3. Get user approval"
  echo "  4. Try committing again"
  echo ""
  exit 1
fi

echo "✅ No secrets detected - proceeding with commit"
exit 0
EOF

# Make executable
chmod +x .git/hooks/pre-commit

# Test
echo "test-secret=sk-ant-api03-test" > test-file.txt
git add test-file.txt
git commit -m "test"  # Should BLOCK with secret detection error
rm test-file.txt
git reset HEAD test-file.txt

Verification: Committing a file with API key pattern is BLOCKED

---

7. Add .env to .gitignore (If Not Already)

Why: Ensures .env never accidentally committed

Actions:

# Check if .env in .gitignore
grep "^\.env$" .gitignore

# If not found, add it:
echo ".env" >> .gitignore

# Verify
cat .gitignore | grep "\.env"

Verification: .env appears in .gitignore

---

8. Remove docs/STRIPE_LIVE_MODE_DEPLOYMENT.md from Public Repository

Why: This file was exposed in public repo at commit 31345d5c1abc8c8da9387d55494a1741f451f9a7

Decision Required:

Option A: Delete file from git history (RECOMMENDED)

• Pros: Removes credential from git history
• Cons: Force push required, breaks forks
• Tool: BFG Repo-Cleaner

Option B: Accept file in history, rely on key revocation

• Pros: No repository disruption
• Cons: Credential remains in git history (already revoked)
• Action: None needed

Option C: Delete public repository and recreate

• Pros: Complete removal
• Cons: Loses stars, discussions, community engagement

Recommendation: Option B (accept in history) since:

1. Key already revoked by Anthropic
2. Public repo is tractatus-framework (implementation only)
3. No active community yet (early stage)
4. Low risk of exploitation (key revoked)

If you choose Option A (remove from history):

# Install BFG Repo-Cleaner
wget https://repo1.maven.org/maven2/com/madgag/bfg/1.14.0/bfg-1.14.0.jar
java -jar bfg-1.14.0.jar --delete-files STRIPE_LIVE_MODE_DEPLOYMENT.md /path/to/tractatus-framework

# Follow BFG instructions to git reflog expire and force push

Your Decision: Which option?

---

9. Review All .env Files Across All Projects

Why: If one project exposed credentials, others might too

Projects to Check:

1. /home/theflow/projects/tractatus (DONE - issues found)
2. /home/theflow/projects/family-history (CHECK THIS)
3. /home/theflow/projects/sydigital (CHECK THIS)
4. Any other projects

Actions for Each Project:

# Navigate to project
cd /home/theflow/projects/PROJECTNAME

# Check .env exists
ls -la .env

# Scan for credentials
gitleaks detect --source . --verbose

# Check if .env in git history (BAD if true)
git log --all --full-history -- .env

Verification: No .env files in git history across any project

---

MONITORING & VERIFICATION (Next 24-48 Hours)

10. Monitor Anthropic API Usage

Why: Detect unauthorized usage of compromised key (before revocation)

Actions:

1. Login to Anthropic Console: https://platform.claude.com/settings/usage
2. Review API usage for past 24 hours
3. Look for:
   • Unusual volume spikes
   • Geographic anomalies (API calls from unexpected regions)
   • Unknown application names
   • Timestamp gaps (usage when you weren't working)

Red Flags:

• API calls from non-Europe/non-Australia IPs (if you're only in those regions)
• Calls during hours you weren't working (e.g., 2-6 AM your timezone)
• Sudden spike in usage
• Unfamiliar model names or endpoints

Action if Suspicious: Contact Anthropic support immediately

---

11. Monitor Stripe Dashboard

Why: Detect unauthorized test transactions (low risk with test keys)

Actions:

1. Login to Stripe Dashboard: https://dashboard.stripe.com/test/payments
2. Review test transactions for past 7 days
3. Look for unexpected test charges

Note: Test keys cannot charge real money, so financial risk is zero

---

12. Review Git Log for Other Credential Exposures

Why: May have committed other secrets in past

Actions:

cd /home/theflow/projects/tractatus

# Scan entire git history for secrets
gitleaks detect --source . --log-opts="--all" --verbose --report-path=/tmp/gitleaks-report.json

# Review report
cat /tmp/gitleaks-report.json | jq '.'

# Or use grep for common patterns
git log -p --all | grep -E "sk-|pk-|api.?key|secret|password" | head -50

Action if Found: Rotate those credentials too

---

POST-INCIDENT IMPROVEMENTS

13. Update SECURITY.md in Public Repository

Why: Transparency and incident disclosure

Actions:

1. Add incident to Security Audit History table
2. Document response (key revocation, rotation procedures)
3. Update best practices based on learnings

Draft Entry:

| Date | Type | Severity | Status | Details |
|------|------|----------|--------|---------|
| 2025-10-21 | Credential Exposure | CRITICAL | Resolved | Anthropic API key exposed in docs/STRIPE_LIVE_MODE_DEPLOYMENT.md at commit 31345d5c1a. Key automatically revoked by Anthropic via GitHub secret scanning. All credentials rotated. Pre-commit secret detection implemented. |

---

14. Document Incident in Internal Post-Mortem

File: docs/security/INCIDENT_2025-10-21_API_KEY_EXPOSURE.md

Sections:

1. Timeline
2. Root cause
3. Impact assessment
4. Response actions
5. Preventive measures
6. Lessons learned

Claude will create this - see SECURITY_INCIDENT_POST_MORTEM_2025-10-21.md

---

15. Review and Test Pre-Deployment Checklist

Why: Ensure inst_071 (new enhanced checklist) prevents recurrence

Actions:

1. Review inst_071 checklist
2. Practice running each step
3. Identify any gaps
4. Update checklist if needed

Checklist (from inst_071):

□ 1. CSP Compliance Check [AUTOMATED via hook]
□ 2. Secret Detection Scan (gitleaks detect --source .)
□ 3. Credential Audit (grep -r "sk-" "pk-" "secret" "password")
□ 4. Local Server Test (curl http://localhost:9000/health → 200 OK)
□ 5. Comprehensive Testing (npm test → all pass)
□ 6. Permission Verification (ls -la → correct 644/755)
□ 7. Git Status Clean (no uncommitted changes)
□ 8. Public Repository Content Review (no internal docs)

---

SUMMARY CHECKLIST

Use this to track completion:

CRITICAL (Do Now):

• Rotate Anthropic API key (create new, update .env)
• Remove exposed key from docs/STRIPE_LIVE_MODE_DEPLOYMENT.md
• Rotate JWT secret (generate new, update .env)
• Test application with new credentials

HIGH PRIORITY (Next 2 Hours):

• Install gitleaks
• Create pre-commit hook
• Verify .env in .gitignore
• Decide on public repo history (Option A/B/C)

MEDIUM PRIORITY (Next 24 Hours):

• Rotate Stripe test keys (optional)
• Review other projects (.env files)
• Monitor Anthropic API usage
• Monitor Stripe dashboard
• Scan git history for other secrets

LOW PRIORITY (Next Week):

• Update SECURITY.md
• Review post-mortem
• Test pre-deployment checklist
• Schedule quarterly security audits

---

QUESTIONS & CLARIFICATIONS

Q: Why did this happen?

A: Multiple failures in credential handling:

1. Real API key in documentation (should have been redacted example)
2. No secret detection before commit (no pre-commit hook)
3. No credential audit in cleanup checklist (inst_054 didn't include secret scan)
4. Framework components not actively used (BoundaryEnforcer should have caught this)

Q: Was this malicious AI behavior?

A: NO. This was systematic failure in processes, not AI having "bad intent":

• AI doesn't have intent (good or bad)
• AI made mistakes that had catastrophic consequences
• Framework existed but wasn't enforced (framework fade)
• New rules (inst_069-072) prevent recurrence

Q: What's the financial impact?

A: MINIMAL (likely zero):

• Anthropic key revoked immediately (GitHub secret scanning worked)
• No evidence of unauthorized usage (monitor to confirm)
• Stripe keys are TEST mode only (no real money)
• JWT secret rotation invalidates sessions (security benefit)

Q: Will this happen again?

A: NOT if we follow new procedures:

• inst_069: Mandatory credential redaction
• inst_070: Pre-commit secret detection (automated)
• inst_071: Enhanced deployment checklist (includes credential audit)
• inst_072: Defense-in-depth (5 layers of protection)
• Gitleaks hook: Blocks commits with secrets

Q: Should I be worried about other credentials?

A: YES - Audit recommended:

• Review all projects for .env files
• Scan git history with gitleaks
• Rotate credentials found in scans
• Implement secret detection across all projects

---

CONTACT & SUPPORT

Anthropic Support: https://support.anthropic.com Stripe Support: https://support.stripe.com GitHub Security: https://docs.github.com/en/code-security/secret-scanning

Internal: Review SECURITY_INCIDENT_POST_MORTEM_2025-10-21.md for full analysis

---

CREATED: 2025-10-21 by Claude Code (Automated Security Response) URGENCY: IMMEDIATE ACTION REQUIRED NEXT REVIEW: After completing CRITICAL section (next 30 minutes)