Skip to content

Remove leaked GitHub PAT from .codex/config.toml + gitignore it#115

Merged
erikshafer merged 2 commits into
mainfrom
fix/remove-codex-config-secret
Jun 24, 2026
Merged

Remove leaked GitHub PAT from .codex/config.toml + gitignore it#115
erikshafer merged 2 commits into
mainfrom
fix/remove-codex-config-secret

Conversation

@erikshafer

Copy link
Copy Markdown
Owner

What

These are the two previously-unpushed local commits (6dbe80c, 9bec5e0), rewritten to strip a secret that GitHub Push Protection had blocked.

  • Removed the hardcoded GitHub Personal Access Token that was committed in .codex/config.toml (the local Codex MCP config). The file is now untracked; the working copy stays on each developer's disk.
  • Added .codex/config.toml to .gitignore, in the existing "AI Tool MCP Configuration Files (may contain GitHub PATs)" section alongside .vscode/mcp.json and .cursor/mcp.json — it had simply been missing from that list.

Why

The original push of main was rejected by GitHub Push Protection (GH013 / GITHUB PUSH PROTECTION): a GitHub PAT was present at .codex/config.toml:47 in commit 6dbe80c. The secret never reached origin — it existed only in unpushed local commits.

How it was done

History was rewritten onto this branch rather than pushed to main directly (per the repo's branch-and-PR convention):

  • branched from origin/main (b6f0c8f)
  • re-applied 6dbe80c with the secret file untracked + the .gitignore entry folded into the same commit (ff61d58)
  • re-applied 9bec5e0 unchanged (e4f3f52)
  • local main reset back to origin/main

All code files preserved byte-for-byte (13→13 changed-file parity on the rewritten commit; only the config file was swapped for the gitignore line).

Follow-up (recommended)

The exposed token should be rotated at https://github.com/settings/tokens. Exposure was local-only (it never hit the remote), but the credential sat in plaintext in a commit object + terminal history, so regenerating it is the only way to fully retire it.

Introduce a new set of agent skills for structured AI development, including:
- CritterBids-specific best practices (dual evaluation, frontend slice discipline, SignalR client conventions).
- OpenSpec CLI integration for `propose`, `explore`, `apply`, and `archive` workflows.
Update `AGENTS.md` to document the OpenSpec workspace, update skill invocation guidance, and detail frontend architecture. Also configure Model Context Protocol (MCP) servers in `.codex/config.toml` to support these new agent capabilities.
Resolve IMessageBus from child scope instead of root provider to satisfy DI scope validator in Development environment. Add AsyncServiceScope field with disposal in both RelayHub and PostSaleFanOut test fixtures. Update Aspire packages to 13.4.6, WolverineFx to 6.14.0. Correct nuget.config package source mapping to route only JasperFx.AiSkills to private feed (all WolverineFx/Marten packages resolve from nuget.org).
@erikshafer erikshafer self-assigned this Jun 24, 2026
@erikshafer erikshafer merged commit f228340 into main Jun 24, 2026
3 checks passed
@erikshafer erikshafer deleted the fix/remove-codex-config-secret branch June 24, 2026 01:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant