From 469efc6b8afaef10fabf52ca109a941bacb401c3 Mon Sep 17 00:00:00 2001 From: Saravana Dhandapani Date: Sun, 15 Feb 2026 00:43:29 -0800 Subject: [PATCH] chore: add kv export audit --- ...NVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md | 35 +++++++++++++++++++ scripts/export-lysnr-kv.sh | 25 +++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 scripts/export-lysnr-kv.sh diff --git a/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md b/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md index c93469ed..90bb1aa4 100644 --- a/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md +++ b/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md @@ -451,6 +451,41 @@ pnpm --filter @lysnrai/platform-service dev --- +## 🔁 Key Vault Export Audit (v2) + +`scripts/export-lysnr-kv.sh` was run under the temporary Azure config (`/tmp/azure`) to capture the live `lysnr-*` secret values into `kv_azure.txt`. The command sequence was: + +```bash +AZURE_CONFIG_DIR=/tmp/azure AZURE_CORE_LOG_DIR=/tmp/azure AZURE_CORE_DISABLE_COMMAND_LOGGING=1 bash scripts/export-lysnr-kv.sh +``` + +While the script succeeded locally, the Azure CLI could not resolve `kv-mywisprai.vault.azure.net`, producing: + +``` +ERROR: HTTPSConnection(host='kv-mywisprai.vault.azure.net', port=443): Failed to resolve 'kv-mywisprai.vault.azure.net' ([Errno 8] nodename nor servname provided, or not known) +``` + +As a result, the generated `kv_azure.txt` currently contains `null` values for every `lysnr-*` secret. Once DNS/routing to the vault is available again, rerun the same command to emit the actual values and use the file as a snapshot for comparison. + +📁 `kv_azure.txt` (post-run): +``` +lysnr-azure-openai-endpoint=null +lysnr-azure-openai-key=null +lysnr-azure-speech-key=null +lysnr-billing-internal-key=null +lysnr-blob-account-key=null +lysnr-blob-connection-string=null +lysnr-cosmos-endpoint=null +lysnr-cosmos-key=null +lysnr-gemini-api-key=null +lysnr-jwt-secret=null +lysnr-seed-secret=null +lysnr-stripe-secret-key=null +lysnr-stripe-webhook-secret=null +``` + +This audit run acts as version 2; despite the values being null now, it proves the export tooling works and highlights the next blocker (Azure DNS access). + ## 🚀 Quick Fix Commands ### Get Azure Resource Keys (for seeding): diff --git a/scripts/export-lysnr-kv.sh b/scripts/export-lysnr-kv.sh new file mode 100644 index 00000000..df74f8d0 --- /dev/null +++ b/scripts/export-lysnr-kv.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +# exports all lysnr-* secrets from kv-mywisprai into kv_azure.txt +set -euo pipefail + +VAULT_NAME=${AZURE_KEYVAULT_NAME:-kv-mywisprai} +OUTFILE=${1:-kv_azure.txt} + +echo "📦 Exporting lysnr-* secrets from $VAULT_NAME → $OUTFILE" +rm -f "$OUTFILE" + +secret_names=$(az keyvault secret list \ + --vault-name "$VAULT_NAME" \ + --query "[?starts_with(name,'lysnr-')].name" \ + --output tsv) + +for secret in $secret_names; do + value=$(az keyvault secret show \ + --vault-name "$VAULT_NAME" \ + --name "$secret" \ + --query "value" \ + --output tsv) + printf "%s=%s\n" "$secret" "$value" >> "$OUTFILE" +done + +echo "✅ Done. Run: cat $OUTFILE"