memorylink 2.0.2 → 2.1.1

package/docs/REMEDIATION.md

@@ -1,234 +1,332 @@
-# Remediation Guides
+# 🔄 Secret Remediation Guide
 
-When MemoryLink detects a secret, follow these provider-specific remediation steps to secure your codebase.
+**Version:** 2.0.2  
+**Last Updated:** January 2, 2026
 
-## 🔄 General Remediation Process
+When MemoryLink detects a secret, you should **rotate it immediately**. This guide provides direct links to rotate secrets for common providers.
 
-1. **Identify** the secret type
-2. **Revoke** the exposed secret immediately
-3. **Generate** a new secret
-4. **Update** your code/config
-5. **Remove** from Git history
-6. **Review** access logs
-
-## 🔐 Provider-Specific Guides
+---
 
-### GitHub
+## ⚠️ Important: Always Assume Compromise
 
-**Patterns Detected**: `ghp_...`, `gho_...`, `ghu_...`, `ghs_...`, `ghr_...`
-
-**Steps**:
-1. Go to [GitHub Settings → Developer settings → Personal access tokens](https://github.com/settings/tokens)
-2. Find the exposed token and click **"Revoke"**
-3. Generate a new token if needed
-4. Update your code/config with the new token
-5. Remove the old token from Git history:
-   ```bash
-   # Using git filter-branch
-   git filter-branch --force --index-filter \
-     "git rm --cached --ignore-unmatch PATH_TO_FILE" \
-     --prune-empty --tag-name-filter cat -- --all
-   
-   # Or use BFG Repo-Cleaner (recommended)
-   bfg --replace-text passwords.txt
-   ```
-6. Review [GitHub audit log](https://github.com/settings/security-log) for unauthorized access
-
-**Reference**: [GitHub Personal Access Tokens Documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
+If a secret was detected, assume it may have been exposed:
+1. **Rotate immediately** - Don't wait
+2. **Check access logs** - Look for unauthorized use
+3. **Update all locations** - Environment variables, CI secrets, etc.
+4. **Review Git history** - Use `ml gate --history`
 
 ---
 
+## ☁️ Cloud Providers
+
 ### AWS
 
-**Patterns Detected**: `AKIA...`, AWS secret keys, S3 credentials
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Access Key ID / Secret** | [AWS IAM Console → Users → Security Credentials](https://console.aws.amazon.com/iam/home#/users) |
+| **Session Token** | Expires automatically, rotate base credentials |
+
+**Steps:**
+1. Go to IAM → Users → Select user
+2. Security credentials tab
+3. Create new access key
+4. Delete old access key
+5. Update all applications
+
+### Google Cloud (GCP)
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Service Account Key** | [GCP Console → IAM → Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts) |
+| **API Key** | [GCP Console → APIs → Credentials](https://console.cloud.google.com/apis/credentials) |
+| **OAuth Client Secret** | [GCP Console → APIs → Credentials](https://console.cloud.google.com/apis/credentials) |
+
+### Microsoft Azure
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Client Secret** | [Azure Portal → App Registrations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) |
+| **Storage Account Key** | [Azure Portal → Storage Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) |
+| **Connection String** | Regenerate from respective service |
 
-**Steps**:
-1. Go to [AWS IAM Console → Users → Security credentials](https://console.aws.amazon.com/iam/home#/users)
-2. Find the exposed access key and click **"Delete"**
-3. Create a new access key if needed
-4. Update your code/config with the new key
-5. **Rotate the secret access key immediately**
-6. Review [CloudTrail logs](https://console.aws.amazon.com/cloudtrail) for unauthorized access
-7. Check S3 bucket access logs if applicable
+### DigitalOcean
 
-**Reference**: [AWS Access Keys Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Personal Access Token** | [DigitalOcean → API → Tokens](https://cloud.digitalocean.com/account/api/tokens) |
+| **Spaces Access Key** | [DigitalOcean → API → Spaces Keys](https://cloud.digitalocean.com/account/api/tokens) |
 
 ---
 
-### OpenAI / Anthropic
+## 🤖 AI/ML Services
 
-**Patterns Detected**: `sk-...`, `sk-ant-...`
+### OpenAI
 
-**Steps**:
-1. Go to [OpenAI Dashboard → API keys](https://platform.openai.com/api-keys) or [Anthropic Console](https://console.anthropic.com/)
-2. Find the exposed key and click **"Revoke"** or **"Delete"**
-3. Generate a new API key
-4. Update your code/config with the new key
-5. Monitor API usage for suspicious activity:
-   - OpenAI: [Usage Dashboard](https://platform.openai.com/usage)
-   - Anthropic: Check usage logs in console
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **API Key** | [OpenAI Platform → API Keys](https://platform.openai.com/api-keys) |
 
-**Reference**: 
-- [OpenAI API Keys](https://platform.openai.com/api-keys)
-- [Anthropic API Keys](https://docs.anthropic.com/claude/docs/authentication)
+**Steps:**
+1. Go to API Keys page
+2. Click "Create new secret key"
+3. Delete the old key
+4. Update your applications
+
+### Anthropic (Claude)
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **API Key** | [Anthropic Console → API Keys](https://console.anthropic.com/settings/keys) |
+
+### Hugging Face
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Access Token** | [Hugging Face → Settings → Access Tokens](https://huggingface.co/settings/tokens) |
+
+### Cohere
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **API Key** | [Cohere Dashboard → API Keys](https://dashboard.cohere.ai/api-keys) |
 
 ---
 
-### Database
-
-**Patterns Detected**: Database URLs, connection strings, passwords
-
-**Steps**:
-1. **Change the database password immediately**
-2. Update connection strings in your code/config
-3. Review database access logs for unauthorized connections
-4. Consider rotating all database credentials
-5. Use environment variables or secret managers going forward:
-   ```bash
-   # Use environment variables
-   export DB_PASSWORD="new_password"
-   
-   # Or use secret managers (AWS Secrets Manager, HashiCorp Vault, etc.)
-   ```
-6. Update `.env` files and ensure they're in `.gitignore`
-
-**Best Practices**:
-- Never commit `.env` files
-- Use secret managers in production
-- Rotate credentials regularly
+## 💳 Payment Providers
+
+### Stripe
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Secret Key** | [Stripe Dashboard → Developers → API Keys](https://dashboard.stripe.com/apikeys) |
+| **Webhook Secret** | [Stripe Dashboard → Developers → Webhooks](https://dashboard.stripe.com/webhooks) |
+
+**Note:** Stripe keys start with `sk_live_` (production) or `sk_test_` (test). Rotate production keys immediately!
+
+### PayPal
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Client ID / Secret** | [PayPal Developer → My Apps](https://developer.paypal.com/developer/applications/) |
+
+### Razorpay 🇮🇳
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Key ID / Secret** | [Razorpay Dashboard → Settings → API Keys](https://dashboard.razorpay.com/app/keys) |
+
+### Square
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Access Token** | [Square Developer Dashboard](https://developer.squareup.com/apps) |
 
 ---
 
-### Generic API Keys
+## 🔐 Authentication Providers
+
+### GitHub
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Personal Access Token** | [GitHub → Settings → Developer Settings → PAT](https://github.com/settings/tokens) |
+| **OAuth App Secret** | [GitHub → Settings → Developer Settings → OAuth Apps](https://github.com/settings/developers) |
+| **App Private Key** | [GitHub → Settings → Developer Settings → GitHub Apps](https://github.com/settings/apps) |
+
+### GitLab
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Personal Access Token** | [GitLab → Preferences → Access Tokens](https://gitlab.com/-/profile/personal_access_tokens) |
 
-**Patterns Detected**: Generic `api_key=...`, `API_KEY=...`, etc.
+### Slack
 
-**Steps**:
-1. **Identify the API provider**
-2. Log into the provider dashboard
-3. Revoke the exposed API key
-4. Generate a new API key
-5. Update your code/config with the new key
-6. Review API usage logs for unauthorized access
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Bot Token** | [Slack API → Your Apps](https://api.slack.com/apps) |
+| **Webhook URL** | [Slack API → Your Apps → Incoming Webhooks](https://api.slack.com/apps) |
 
-**Common Providers**:
-- Stripe: [API Keys](https://dashboard.stripe.com/apikeys)
-- Twilio: [API Keys](https://console.twilio.com/)
-- SendGrid: [API Keys](https://app.sendgrid.com/settings/api_keys)
-- Mailgun: [API Keys](https://app.mailgun.com/app/account/security/api_keys)
+### Discord
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Bot Token** | [Discord Developer Portal](https://discord.com/developers/applications) |
+| **Webhook URL** | Create new webhook in channel settings |
+
+### Auth0
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Client Secret** | [Auth0 Dashboard → Applications](https://manage.auth0.com/) |
+| **Management API Token** | [Auth0 Dashboard → APIs](https://manage.auth0.com/) |
 
 ---
 
-### Personal Data (PII)
+## 🗄️ Database Services
+
+### MongoDB Atlas
 
-**Patterns Detected**: SSN, Credit Cards, Email, Phone, etc.
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Connection String** | [MongoDB Atlas → Database Access](https://cloud.mongodb.com/) |
 
-**Steps**:
-1. **Identify what type of personal data** this is
-2. **Assess the risk**:
-   - If it's your own data: Remove it
-   - If it's customer data: **Notify affected parties** (GDPR/CCPA compliance)
-3. **Remove the data** from code/config
-4. **Remove from Git history** (critical for PII)
-5. **Review access logs** for unauthorized access
-6. **Consider legal requirements** (data breach notification)
+**Steps:**
+1. Go to Database Access
+2. Edit user, set new password
+3. Update connection strings
 
-**Legal Considerations**:
-- GDPR (EU): 72-hour breach notification
-- CCPA (California): Consumer notification required
-- HIPAA (US Healthcare): Breach notification required
+### Supabase
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Service Role Key** | [Supabase Dashboard → Settings → API](https://app.supabase.com/) |
+| **Anon Key** | Public key, but rotate if needed |
+
+### Firebase
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Service Account Key** | [Firebase Console → Project Settings → Service Accounts](https://console.firebase.google.com/) |
+
+### Redis Labs
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Database Password** | [Redis Labs Console → Database → Configuration](https://app.redislabs.com/) |
 
 ---
 
-## 🛠️ Git History Cleanup
+## 📧 Email/SMS Services
 
-### Using git filter-branch
+### SendGrid
 
-```bash
-# Remove file from all commits
-git filter-branch --force --index-filter \
-  "git rm --cached --ignore-unmatch PATH_TO_FILE" \
-  --prune-empty --tag-name-filter cat -- --all
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **API Key** | [SendGrid → Settings → API Keys](https://app.sendgrid.com/settings/api_keys) |
 
-# Force push (WARNING: Rewrites history)
-git push origin --force --all
-```
+### Mailgun
 
-### Using BFG Repo-Cleaner (Recommended)
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **API Key** | [Mailgun → API Security](https://app.mailgun.com/app/account/security/api_keys) |
 
-```bash
-# Install BFG
-brew install bfg  # macOS
-# or download from https://rtyley.github.io/bfg-repo-cleaner/
+### Twilio
 
-# Create passwords file
-echo "OLD_SECRET" > passwords.txt
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Auth Token** | [Twilio Console → Account Info](https://console.twilio.com/) |
+| **API Key** | [Twilio Console → API Keys](https://console.twilio.com/) |
 
-# Clean repository
-bfg --replace-text passwords.txt
+---
 
-# Clean up
-git reflog expire --expire=now --all
-git gc --prune=now --aggressive
-```
+## 🌐 Deployment Platforms
 
-### Using git-filter-repo (Modern Alternative)
+### Vercel
 
-```bash
-# Install git-filter-repo
-pip install git-filter-repo
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Token** | [Vercel → Settings → Tokens](https://vercel.com/account/tokens) |
 
-# Remove secrets
-git filter-repo --invert-paths --path PATH_TO_FILE
-```
+### Netlify
 
-## ✅ Verification
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Personal Access Token** | [Netlify → User Settings → Applications](https://app.netlify.com/user/applications) |
 
-After remediation, verify the fix:
+### Heroku
 
-```bash
-# Scan again
-ml scan
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **API Key** | [Heroku → Account Settings](https://dashboard.heroku.com/account) |
 
-# Check gate
-ml gate --rule block-quarantined
+### Railway
 
-# Check Git history
-ml gate --rule block-quarantined --history
-```
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Token** | [Railway → Account Settings → Tokens](https://railway.app/account/tokens) |
 
-## 🚨 Emergency Response
+---
+
+## 🇮🇳 India-Specific Services
+
+### Paytm
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Merchant Key** | [Paytm Dashboard → API Keys](https://dashboard.paytm.com/next/apikeys) |
+
+### PhonePe
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **API Key** | Contact PhonePe Business Support |
+
+### Cashfree
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **App ID / Secret** | [Cashfree Dashboard → Credentials](https://merchant.cashfree.com/) |
+
+---
+
+## 🔧 Development Tools
+
+### npm
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Auth Token** | [npm → Access Tokens](https://www.npmjs.com/settings/~/tokens) |
+
+### Docker Hub
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **Access Token** | [Docker Hub → Account Settings → Security](https://hub.docker.com/settings/security) |
+
+### CircleCI
+
+| Secret Type | Rotation Link |
+|-------------|---------------|
+| **API Token** | [CircleCI → User Settings → Personal API Tokens](https://app.circleci.com/settings/user/tokens) |
 
-If a secret is exposed in a public repository:
+---
+
+## 📋 General Rotation Checklist
 
-1. **Immediately revoke** the secret
-2. **Generate new secret**
-3. **Update all systems** using the old secret
-4. **Review access logs** for unauthorized usage
-5. **Consider rotating all related secrets**
-6. **Clean Git history** (if repository is public)
-7. **Monitor for abuse** (unauthorized API calls, etc.)
+After rotating a secret:
 
-## 📋 Remediation Checklist
+- [ ] **Update environment variables** (local `.env` files)
+- [ ] **Update CI/CD secrets** (GitHub Actions, GitLab CI, etc.)
+- [ ] **Update deployment platforms** (Vercel, Netlify, etc.)
+- [ ] **Update configuration files** (ensure not committed!)
+- [ ] **Test the application** (verify new key works)
+- [ ] **Check audit logs** (look for unauthorized access)
+- [ ] **Run `ml scan`** (verify no secrets remain)
+
+---
 
-- [ ] Secret revoked/rotated
-- [ ] New secret generated
-- [ ] Code/config updated
-- [ ] Git history cleaned (if public repo)
-- [ ] Access logs reviewed
-- [ ] Team notified (if applicable)
-- [ ] Legal/compliance notified (if PII)
-- [ ] Monitoring enabled for suspicious activity
-- [ ] Documentation updated
-- [ ] Prevention measures implemented
+## 🚨 Emergency Response
 
-## 🔗 Additional Resources
+If you believe a secret was exploited:
 
-- [GitHub: Removing sensitive data](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)
-- [OWASP: Secret Management](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)
-- [NIST: Incident Response](https://www.nist.gov/cyberframework)
+1. **Rotate immediately** - Don't investigate first
+2. **Check access logs** - Provider dashboards usually have this
+3. **Revoke sessions** - Force re-authentication
+4. **Enable MFA** - If not already enabled
+5. **Contact provider** - Report potential breach
+6. **Document incident** - For compliance
 
 ---
 
-**Remember**: Speed is critical when secrets are exposed. Revoke immediately, then investigate.
+## 📞 Provider Security Contacts
+
+| Provider | Security Contact |
+|----------|------------------|
+| AWS | [AWS Security](https://aws.amazon.com/security/vulnerability-reporting/) |
+| Google | [Google Security](https://www.google.com/about/appsecurity/) |
+| GitHub | [GitHub Security](https://github.com/security) |
+| Stripe | [Stripe Security](https://stripe.com/docs/security) |
+
+---
 
+*This guide is part of MemoryLink's security documentation. Always follow your organization's incident response procedures.*