Remove leaked .env files and add secret management infrastructure (Resolves #82)

[overcut-ai]

Overall goal

Eliminate leaked secrets that were previously committed and introduce mechanisms to prevent similar incidents in the future.

Implemented tasks

• Update .gitignore to ignore secret files (*.env, *.env.*)
• Remove leaked .env files from server and admin apps
• Add .env.example template with placeholder variables for local development
• Update README with Security & Secret Management guidelines
• (Workflow creation skipped due to permission) — Repository owners should add CI-based secret scanning (e.g., truffleHog) once permissions are configured

Follow-up actions required

1. Rewrite Git history to purge leaked .env files from all previous commits.
2. Rotate any credentials that were exposed.
3. Add secret-scanning workflow once the GitHub App permissions include workflows scope.

Resolves #82

[overcut-ai]

Completed Working on "Code Review v2.0"

✅ Review submitted: REQUEST_CHANGES. Total comments: 6 across 5 files.

---

👉 View complete log

[overcut-ai]

PR Review Summary

Findings by Importance

• 🚫 Blocker: 1
• ⚠️ Major: 3
• ℹ️ Minor: 2

Key Themes

1. Secret Management & History Hygiene – Although leaked .env files were deleted, the secrets remain in Git history. A full rewrite and credential rotation are essential before merge.
2. Environment-Variable Consistency & Completeness – Missing or mismatched variables (JWT_SECRET_KEY, JWT_EXPIRATION, REACT_APP_SERVER_URL) could break builds or runtime behaviour.
3. Documentation & Validation Gaps – Inaccurate references (placeholder PR links, CI-scanning claims) and absent runtime config validation reduce clarity and reliability.

Next Steps

1. Resolve Blocker
   • Perform a complete Git history rewrite (e.g., using git filter-repo) to remove leaked secrets, then force-push the sanitized history.
   • Rotate all affected credentials and update .env.example with new placeholders.

2. Address Major Issues
   • Add missing JWT-related variables and correct the server URL key in .env.example.
   • Update documentation: replace placeholder PR references with the actual link (#89) and clarify the status of CI secret-scanning.
   • Implement environment-variable validation (e.g., Joi schema via @nestjs/config) to prevent mis-configs at runtime.

3. Tackle Minor Improvements
   • Double-check all secret-management instructions for consistency with project policies.
   • Review naming conventions across frontend/back-end to avoid future mismatches.

Once the blocker is resolved and major issues are fixed, re-run CI and request another review pass to confirm readiness for merge.

[overcut-ai]

Missing JWT-related environment variables

JWT_SECRET_KEY and JWT_EXPIRATION are required by the server (see apps/hotel-management-service-server/README.md) but are absent from .env.example, risking misconfiguration and runtime failures.

Suggested fix: Add the following placeholders (with explanatory comments) to .env.example:

JWT_SECRET_KEY=""
JWT_EXPIRATION=""

[overcut-ai]

Inconsistent client server URL variable name

Frontend code expects process.env.REACT_APP_SERVER_URL (see Login.tsx / LoginForm.tsx) but .env.example defines VITE_REACT_APP_SERVER_URL, which will be undefined at runtime.

Suggested fix: Rename the variable in .env.example to REACT_APP_SERVER_URL or update the frontend code to use import.meta.env.VITE_REACT_APP_SERVER_URL per Vite convention.

[overcut-ai]

Placeholder PR link left in docs

PR #?? / pull/XXX placeholders need to be replaced with the actual PR number so future readers can access the referenced change.

Suggested fix: Update the sentence to reference this PR: [PR #89](https://github.com/overcut-ai/awesome-overcut/pull/89).

[overcut-ai]

CI secret-scanning claim inaccurate

The documentation states that the CI pipeline already includes secret scanning, but this PR explicitly says the workflow is deferred due to permissions. Documenting a non-existent control can mislead contributors.

Suggested fix: Clarify that secret-scanning will be added in a follow-up once permissions are granted, or link to the relevant workflow if it already exists.

[overcut-ai]

Secrets still reside in git history

Deleting the .env file in this commit does not purge the sensitive credentials from previous commits. Anyone can retrieve past revisions, so a full git history rewrite and credential rotation are mandatory before merge.

Suggested fix: Perform a full history rewrite (e.g., git filter-repo or GitHub’s "Remove sensitive data" guide), force-push the sanitized history, and rotate all exposed secrets.

[overcut-ai]

Missing runtime environment variable validation

The server reads environment variables via ConfigService, but there is no validation schema in place; missing or malformed values will cause runtime errors that are hard to debug.

Suggested fix: Add @nestjs/config validation (e.g., a Joi schema) to enforce presence and format of required variables such as BCRYPT_SALT, DB_URL, JWT_SECRET_KEY, etc.

[overcut-ai]

Completed Working on "Auto-Changelog Reminder"

✅ Analyzed PR #89, detected user-facing changes (README and .env template updates). No changelog file exists/modified, so posted comment requesting changelog entry with suggested content and awaiting "approve changelog" reply.

---

👉 View complete log

[overcut-ai]

⚠️ A changelog entry is required for user-facing changes.

Here’s a suggested entry you can copy-paste:

## [Unreleased]
### Security
- Removed leaked secret files from the repository and added `.env.example` template.
- Updated `.gitignore` to prevent committing secret files.
- Added secret-management guidelines to `README.md`.

Reply with "approve changelog" and I will create a commit on this PR with the suggested entry.