Skip to content

chore: remove internal dev artifacts + client workflow files from public repo#2

Merged
RexOwenDev merged 3 commits into
mainfrom
chore/repo-cleanup-remove-dev-artifacts
Apr 14, 2026
Merged

chore: remove internal dev artifacts + client workflow files from public repo#2
RexOwenDev merged 3 commits into
mainfrom
chore/repo-cleanup-remove-dev-artifacts

Conversation

@RexOwenDev

Copy link
Copy Markdown
Owner

⚠️ SECURITY INCIDENT — Read this first

During a thorough audit of this public repo, I found live client data and a production n8n API token accidentally committed. This PR removes them from the current tree, but since git history retains deleted files, the exposed credentials must be rotated separately.

🔴 REMEDIATION CHECKLIST (do these regardless of this PR)

  • Revoke the n8n API JWT — the token ending in ...U26PA-s in fix_workflow.js. Go to https://designshopp.app.n8n.cloud → Settings → API → revoke (or rotate all tokens and issue a new one)
  • Rotate credentials the JWT could access — the three credential IDs hardcoded in the script (WordPress, Gmail, Google Sheets) — rotate in the n8n credential store
  • Check n8n audit log for any API calls from unknown IPs in the window since the repo went public
  • Consider client notification — the following client workflow files were briefly public:
    • CMCA (20+ files: P0/P2/P3-P4-P5 workflow JSONs + build scripts)
    • CPA (form URLs, PDF.co API key references)
    • CUAL (workflow JSON)
    • SEO (report automation)
    • Stil-Design (discovery docs + workflows)
    • Tornatech (translation phase 2)
  • Confirm the Supabase project ID vjtpykjmrukhypghzqnt doesn't have any RLS-bypass endpoints exposed

What this PR removes

60 files, ~31,700 lines of code/content removed:

Internal handoff documentation (108 KB)

  • PROGRESS.md (49 KB) — internal build log, references Supabase project ID + team
  • CMCA_Progress_Handoff.md (16 KB) — internal handoff
  • REX_CONTEXT_HANDOFF.md (14 KB) — internal handoff
  • SEO_Report_Automation_Phase1_Summary.md (30 KB) — belongs to a different project

Stray dev scripts

  • fix_workflow.jscontained live n8n API JWT + credential IDs (see remediation above)

Client workflow files (52 files across 7 projects)

  • workflows/CMCA/ — 31 files including build scripts and P0/P2/P3-P4-P5 workflow JSONs
  • workflows/CPA/ — 5 files including CPA_PROGRESS_REPORT.md and workflow JSONs
  • workflows/CUAL/ — 1 workflow JSON
  • workflows/SEO/ — 1 workflow JSON
  • workflows/Stil-Design/ — 3 design sample + discovery docs
  • workflows/Tornatech/ — 8 workflow JSONs including translation phase 2
  • workflows/misc/ — 2 workflow JSONs

Stray client deliverable directory

  • proposal studio/ (with space in name — likely a copy/paste mistake)
    • automation-meeting-prep.html (68 KB)
    • docs/superpowers/specs/2026-04-04-proposal-templates-design.md

.gitignore hardening

Added patterns to prevent future recurrence:

# Internal dev artifacts — DO NOT re-commit to public repo
PROGRESS.md
*_Progress_Handoff.md
*_CONTEXT_HANDOFF.md
*_Phase*_Summary.md
fix_workflow.js
fix_*.js
workflows/
"proposal studio/"

# Any file containing live API tokens, JWTs, or n8n credentials
*.apikey
*_token.txt

# Client deliverable HTML files belong under /public or /src/templates
automation-meeting-prep.html

What this PR does NOT do

❌ This does NOT rewrite git history.

All deleted files remain retrievable from any commit prior to this one. That means:

  • The n8n API JWT in old commits is still accessible to anyone who git clones the repo
  • Anyone who cloned the repo before this PR retains the full file set
  • GitHub's commit-history view still shows the old content

Why I chose NOT to rewrite history:

  1. Force-pushing to main is blocked by branch protection rules (good security — leaving those alone)
  2. Rewriting history breaks existing clones + external references (links, forks)
  3. The JWT is already harvested by anyone who was looking — rewriting doesn't un-leak it
  4. The correct remediation is credential rotation (see checklist above), not history rewrite

If you want to try history rewrite anyway, the process is: temporarily disable branch protection → git filter-repo --path fix_workflow.js --invert-paths + repeat for each file → force-push → re-enable protection. I'd recommend against it — rotation is simpler and more effective.

What remains in the repo (intentionally kept)

Test plan

  • Review the diff at github.com/RexOwenDev/proposal-studio/pull/2/files
  • Verify 60 deletions + 1 modification (.gitignore)
  • Confirm no legitimate app code was removed
  • Execute the REMEDIATION CHECKLIST above (this is the important part — not the merge)
  • After merge, verify git log -- fix_workflow.js shows file history ends at this commit on main

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

…ublic repo

Removes ~230KB of development artifacts that were accidentally committed to this public portfolio repo. These files included internal handoff docs, a separate project's summary, a stray dev script containing a live n8n API JWT, and 52 client workflow JSONs across 7 client projects (CMCA, CPA, CUAL, SEO, Stil-Design, Tornatech, misc).

Files removed:
- PROGRESS.md (49KB internal build log referencing Supabase project ID + internal team)
- CMCA_Progress_Handoff.md (16KB internal handoff doc)
- REX_CONTEXT_HANDOFF.md (14KB internal handoff doc)
- SEO_Report_Automation_Phase1_Summary.md (30KB — belongs to a different project)
- fix_workflow.js (12KB — contained LIVE n8n API JWT; see PR description)
- workflows/ (52 files across 7 client project directories)
- 'proposal studio/' (stray directory with a client meeting prep HTML)

.gitignore updated with patterns to prevent recurrence.

IMPORTANT: This commit does NOT remove these files from git history. Anyone who cloned the repo before this commit retains access to the exposed data. The live n8n JWT in fix_workflow.js must be revoked separately (see PR description for remediation checklist).
@vercel

vercel Bot commented Apr 14, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
proposal-studio Ready Ready Preview, Comment Apr 14, 2026 7:06pm
proposal-studio-3xl1 Ready Ready Preview, Comment Apr 14, 2026 7:06pm
proposal-studio-k6rd Ready Ready Preview, Comment Apr 14, 2026 7:06pm

Request Review

Adds prevention layer after the cleanup to ensure the next accidental fix_workflow.js doesn't happen. Custom ruleset specifically catches n8n public-api JWTs (the pattern the earlier leak used), Supabase service-role keys, and other provider keys that gitleaks defaults miss.

Also corrects .gitignore which was incorrectly excluding .github/workflows — CI config SHOULD be version-controlled.
The unanchored 'workflows/' pattern was accidentally ignoring '.github/workflows/' too — which is why gitleaks workflow required force-add on the previous commit. Prefixing with / restricts it to the repo-root workflows/ directory only.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant