From 298065dd95f4eb2e7ddceae7148c922ec94236fa Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Tue, 10 Feb 2026 01:09:19 +0000
Subject: [PATCH] docs(backlog): add security credential rotation task (task-2)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 ...eaked-credentials-and-scrub-git-history.md | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 backlog/tasks/task-2 - Rotate-leaked-credentials-and-scrub-git-history.md

diff --git a/backlog/tasks/task-2 - Rotate-leaked-credentials-and-scrub-git-history.md b/backlog/tasks/task-2 - Rotate-leaked-credentials-and-scrub-git-history.md
new file mode 100644
index 0000000..bb4ffb6
--- /dev/null
+++ b/backlog/tasks/task-2 - Rotate-leaked-credentials-and-scrub-git-history.md	
@@ -0,0 +1,45 @@
+---
+id: task-2
+title: Rotate leaked credentials and scrub git history
+status: Done
+assignee:
+  - '@claude'
+created_date: '2026-02-10 01:09'
+labels:
+  - security
+  - infrastructure
+  - n8n
+dependencies: []
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Security hardening after GitGuardian detected exposed SMTP credentials in GitHub. Rotated all leaked secrets, rewrote git history with git-filter-repo, and moved all configuration to server-side .env files.
+
+Changes made:
+- Switched n8n email from Resend API to Mailcow SMTP (self-hosted)
+- Created hello@cosmolocal.world mailbox in Mailcow
+- Created SMTP credential in n8n via API
+- Updated workflows 02 (Lead Nurturing) and 04 (Follow-up Reminders) via n8n API
+- Removed all hardcoded secrets from docker-compose.yml (DB password, SMTP host/port/sender)
+- Rotated: Resend API key (deprecated), Listmonk API password, n8n DB password, SMTP password
+- Ran git-filter-repo 3x to scrub secrets from all commits and commit messages
+- Force-pushed cleaned history to both Gitea and GitHub
+- All credentials now in /opt/websites/cosmolocal-website/.env (gitignored)
+
+Remaining: Revoke old Resend API key in Resend dashboard (manual).
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 Resend API key removed from codebase and history
+- [ ] #2 Listmonk password rotated
+- [ ] #3 n8n DB password rotated and moved to .env
+- [ ] #4 SMTP password rotated
+- [ ] #5 SMTP host/port/sender moved to env vars
+- [ ] #6 Git history clean - zero secret matches
+- [ ] #7 All services healthy after redeployment
+- [ ] #8 GitGuardian alert resolved
+<!-- AC:END -->