# Incident: UniFi Baseline Secret Leak (2026-05-22) ## Summary A raw UniFi baseline export was committed to the main `truenas-stacks` repo during the May 22, 2026 network-cutover documentation pass. GitGuardian later flagged three secret leaks in the latest commits. The leaked material came from a controller export artifact, not from a normal `.env` file. ## What leaked The committed file contained three WireGuard secrets in `home/doris-dashboard/docs/baselines/unifi-object-baseline-2026-05-22-024653.json`: 1. an embedded `wireguard_client_configuration_file` containing a `PrivateKey = ...` 2. one `x_wireguard_private_key` 3. another `x_wireguard_private_key` ## How it happened The failure mode was: 1. a read-only UniFi object baseline was captured to support cautious cutover work 2. the export was saved as a raw JSON artifact under `home/doris-dashboard/docs/baselines/` 3. that raw export was treated like a harmless recon artifact and committed alongside other network redesign docs 4. the export included VPN/WireGuard fields that are safe for controller runtime but unsafe for a git-tracked documentation repo 5. GitGuardian detected the leaked keys after push ## Root cause This was a process failure, not a git-crypt failure. The repo already had rules for `.env` secrets, but not a strong enough rule for **controller exports / diagnostic baselines / machine snapshots** that may embed secrets even when they are not named `.env`. In short: - we protected the usual secret files - we did **not** treat raw infrastructure exports as secret-bearing by default ## Remediation completed The following remediation was performed: - the leaked values were removed from the working tree - git history was rewritten to purge the exact leaked values - cleaned history was force-pushed to both `origin` and `github` - raw JSON baseline exports under `home/doris-dashboard/docs/baselines/` were moved out of the main repo policy - the repo now documents that only sanitized summaries or explicitly redacted artifacts belong in the main repo ## New permanent rules 1. **Raw controller/API exports do not belong in the main repo.** - Examples: UniFi `networkconf`, `portconf`, full appliance JSON dumps, diagnostic snapshots, vendor backups, tunnel/client config exports. 2. **Assume machine exports are secret-bearing until proven otherwise.** - If it came from a controller or appliance, inspect it like a secret file. 3. **Only commit one of these:** - a markdown summary - a purpose-built redacted JSON artifact - a generated diff with secret-bearing keys removed 4. **Before committing infra artifacts, scan them explicitly.** - Look for terms like `private_key`, `wireguard`, `token`, `secret`, `password`, `Authorization`, `cookie`, `client_secret`. 5. **If raw export retention is required, store it outside the main repo.** - Prefer the encrypted secrets repo or another non-public operator-only location. 6. **If a secret-bearing export is committed, treat it as an incident.** - redact/remove from current tree - rewrite history - force-push - rotate live credentials/keys as appropriate ## Operator follow-up still recommended History cleanup fixed the repo exposure. If any leaked WireGuard keys were active in production at the time of exposure, rotate them deliberately and update affected clients. ## Prevent-recurrence checklist - [ ] raw exports ignored by default in the repo path where they are commonly captured - [ ] incident documented in `SECRETS_MANAGEMENT.md` - [ ] dashboard baseline directory has a README explaining what may and may not be committed - [ ] future cutover notes point to sanitized summaries rather than raw exports