בס״ד

Make eden-gardens-os Private + GitHub Sensitive Data Sweep

docs/HOW_TO/eden-private-github-sweep.md · last changed (pre-VM history) · rendered from GitHub master

Make eden-gardens-os Private + GitHub Sensitive Data Sweep

Codified from Gmail draft 19dc10fe801e01f7 · Apr 24 2026

NOTE Apr 26 2026: Per feedback_privacy_guardrails.md, Sam already audited repo visibility.
All 9 sensitive repos confirmed PRIVATE. 3 PUBLIC repos flagged for spot-check
(hookstreetservices-site, abnbcalc, north-woodmere-lawn-coop).
This doc is the original procedure for any future repo sweep.

Honest answer first

eden-gardens-os privacy flip = 30 seconds.
Full repo sweep for exposed secrets/PII = 30–45 min.
Do the 30-second fix TODAY. Schedule the sweep separately.

Part 1 — Flip eden-gardens-os private (30 sec)

  1. Go to: github.com/zee78900/eden-gardens-os/settings
  2. Scroll to "Danger Zone" at bottom
  3. "Change repository visibility" → Change to private
  4. Type repo name to confirm
  5. Done. Verify by opening incognito browser → repo URL → should 404

Part 2 — Full repo sweep (30–45 min)

  1. List all your repos: github.com/zee78900?tab=repositories

  2. For each PUBLIC repo, scan for:
    - API keys (OpenAI, Anthropic, Google, etc.) — search for sk-, api_key, AKIA
    - .env files (should never be committed)
    - Client names (Eli, Huvie, Steinhardt, Eden Gardens)
    - Financial data (account numbers, balances, SSN)
    - Personal addresses, phone numbers
    - CONTEXT.md / OBLIGATIONS.md style files

  3. Quick scan command per repo (run locally):
    bash git log --all -p | grep -iE "(api_key|secret|password|sk-[a-zA-Z0-9]|AKIA)"

  4. If anything found:

  5. ROTATE the secret first (assume it's already scraped)
  6. Then remove from history with BFG Repo-Cleaner:
    bash bfg --delete-files .env <repo> git push --force
  7. For client/financial data: just make repo private, don't bother scrubbing history

  8. Move to private (same flow as Part 1):
    - hookstreet-workspace — likely should be private
    - hookstreet-bos-sheets — definitely private (financial data)
    - Any repo with client names

  9. Set defaults going forward:
    github.com/settings/repositories → "Default repository visibility" → Private

  10. Add a global .gitignore template:
    bash touch ~/.gitignore_global
    Add: CONTEXT.md, OBLIGATIONS.md, *.env, credentials/, *.key, *.pem
    bash git config --global core.excludesfile ~/.gitignore_global

Done state

Source trail · docs/HOW_TO/eden-private-github-sweep.md @ master · rendered 2026-07-02 7:23 PM EDT by scripts/build-docs.py · the .md in the repo is the truth; this page is the phone-readable view