Remove dead frontend secrets surface (C3, critical)
Two frontend modules referenced privileged secrets but had zero importers anywhere in frontend/src/: - frontend/src/lib/supabase-server.ts read SUPABASE_SECRET_KEY (the Supabase service-role key, full god mode on the database). - frontend/src/lib/storage.ts read R2_SECRET_ACCESS_KEY and instantiated an S3 client at module-evaluation time. Their continued presence meant any future import from a client component would silently leak these secrets to every browser session. Both files deleted. SUPABASE_SECRET_KEY removed from frontend/.env.local.example. README updated to make explicit that the service-role key belongs in backend/.env only. Closes security finding C3.
| Repository | cpatpa/PIP |
|---|---|
| Author | Claude <noreply@anthropic.com> |
| Authored | |
| Parents | 3130750f |
| Stats | 4 files changed , +9 , -173 |
| Part of | Phase 1 - security audit hardening |
Capture this commit into my fork
Download a Markdown prompt that tells Claude how to port this
exact commit into your working tree. Run it via
claude -p < capture-commit-204351ca.md
from inside the repo you want the change in.