chore: remove internal dev artifacts + client workflow files from public repo#2
Merged
Merged
Conversation
…ublic repo Removes ~230KB of development artifacts that were accidentally committed to this public portfolio repo. These files included internal handoff docs, a separate project's summary, a stray dev script containing a live n8n API JWT, and 52 client workflow JSONs across 7 client projects (CMCA, CPA, CUAL, SEO, Stil-Design, Tornatech, misc). Files removed: - PROGRESS.md (49KB internal build log referencing Supabase project ID + internal team) - CMCA_Progress_Handoff.md (16KB internal handoff doc) - REX_CONTEXT_HANDOFF.md (14KB internal handoff doc) - SEO_Report_Automation_Phase1_Summary.md (30KB — belongs to a different project) - fix_workflow.js (12KB — contained LIVE n8n API JWT; see PR description) - workflows/ (52 files across 7 client project directories) - 'proposal studio/' (stray directory with a client meeting prep HTML) .gitignore updated with patterns to prevent recurrence. IMPORTANT: This commit does NOT remove these files from git history. Anyone who cloned the repo before this commit retains access to the exposed data. The live n8n JWT in fix_workflow.js must be revoked separately (see PR description for remediation checklist).
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Adds prevention layer after the cleanup to ensure the next accidental fix_workflow.js doesn't happen. Custom ruleset specifically catches n8n public-api JWTs (the pattern the earlier leak used), Supabase service-role keys, and other provider keys that gitleaks defaults miss. Also corrects .gitignore which was incorrectly excluding .github/workflows — CI config SHOULD be version-controlled.
The unanchored 'workflows/' pattern was accidentally ignoring '.github/workflows/' too — which is why gitleaks workflow required force-add on the previous commit. Prefixing with / restricts it to the repo-root workflows/ directory only.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
During a thorough audit of this public repo, I found live client data and a production n8n API token accidentally committed. This PR removes them from the current tree, but since git history retains deleted files, the exposed credentials must be rotated separately.
🔴 REMEDIATION CHECKLIST (do these regardless of this PR)
...U26PA-sinfix_workflow.js. Go tohttps://designshopp.app.n8n.cloud→ Settings → API → revoke (or rotate all tokens and issue a new one)vjtpykjmrukhypghzqntdoesn't have any RLS-bypass endpoints exposedWhat this PR removes
60 files, ~31,700 lines of code/content removed:
Internal handoff documentation (108 KB)
PROGRESS.md(49 KB) — internal build log, references Supabase project ID + teamCMCA_Progress_Handoff.md(16 KB) — internal handoffREX_CONTEXT_HANDOFF.md(14 KB) — internal handoffSEO_Report_Automation_Phase1_Summary.md(30 KB) — belongs to a different projectStray dev scripts
fix_workflow.js— contained live n8n API JWT + credential IDs (see remediation above)Client workflow files (52 files across 7 projects)
workflows/CMCA/— 31 files including build scripts and P0/P2/P3-P4-P5 workflow JSONsworkflows/CPA/— 5 files including CPA_PROGRESS_REPORT.md and workflow JSONsworkflows/CUAL/— 1 workflow JSONworkflows/SEO/— 1 workflow JSONworkflows/Stil-Design/— 3 design sample + discovery docsworkflows/Tornatech/— 8 workflow JSONs including translation phase 2workflows/misc/— 2 workflow JSONsStray client deliverable directory
proposal studio/(with space in name — likely a copy/paste mistake)automation-meeting-prep.html(68 KB)docs/superpowers/specs/2026-04-04-proposal-templates-design.md.gitignore hardening
Added patterns to prevent future recurrence:
What this PR does NOT do
❌ This does NOT rewrite git history.
All deleted files remain retrievable from any commit prior to this one. That means:
git clones the repoWhy I chose NOT to rewrite history:
mainis blocked by branch protection rules (good security — leaving those alone)If you want to try history rewrite anyway, the process is: temporarily disable branch protection →
git filter-repo --path fix_workflow.js --invert-paths+ repeat for each file → force-push → re-enable protection. I'd recommend against it — rotation is simpler and more effective.What remains in the repo (intentionally kept)
src/,public/,package.json,tsconfig.json, etc.README.md(now with the 3 images from PR Add hero + product-flow + editor-mockup visuals to README #1)SETUP.md,.env.example,CLAUDE.md,AGENTS.md(conventional dev docs).gitignore(updated with prevention patterns)Test plan
github.com/RexOwenDev/proposal-studio/pull/2/filesgit log -- fix_workflow.jsshows file history ends at this commit onmain🤖 Generated with Claude Code
Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com