chore: add kv export audit

2026-02-15 00:43:29 -08:00 · 2026-02-15 00:43:29 -08:00 · 469efc6b8a
commit 469efc6b8a
parent 7c72ed702a
2 changed files with 60 additions and 0 deletions
--- a/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md
+++ b/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md
@ -451,6 +451,41 @@ pnpm --filter @lysnrai/platform-service dev

 ---

+## 🔁 Key Vault Export Audit (v2)
+
+`scripts/export-lysnr-kv.sh` was run under the temporary Azure config (`/tmp/azure`) to capture the live `lysnr-*` secret values into `kv_azure.txt`. The command sequence was:
+
+```bash
+AZURE_CONFIG_DIR=/tmp/azure AZURE_CORE_LOG_DIR=/tmp/azure AZURE_CORE_DISABLE_COMMAND_LOGGING=1 bash scripts/export-lysnr-kv.sh
+```
+
+While the script succeeded locally, the Azure CLI could not resolve `kv-mywisprai.vault.azure.net`, producing:
+
+```
+ERROR: HTTPSConnection(host='kv-mywisprai.vault.azure.net', port=443): Failed to resolve 'kv-mywisprai.vault.azure.net' ([Errno 8] nodename nor servname provided, or not known)
+```
+
+As a result, the generated `kv_azure.txt` currently contains `null` values for every `lysnr-*` secret. Once DNS/routing to the vault is available again, rerun the same command to emit the actual values and use the file as a snapshot for comparison.
+
+📁 `kv_azure.txt` (post-run):
+```
+lysnr-azure-openai-endpoint=null
+lysnr-azure-openai-key=null
+lysnr-azure-speech-key=null
+lysnr-billing-internal-key=null
+lysnr-blob-account-key=null
+lysnr-blob-connection-string=null
+lysnr-cosmos-endpoint=null
+lysnr-cosmos-key=null
+lysnr-gemini-api-key=null
+lysnr-jwt-secret=null
+lysnr-seed-secret=null
+lysnr-stripe-secret-key=null
+lysnr-stripe-webhook-secret=null
+```
+
+This audit run acts as version 2; despite the values being null now, it proves the export tooling works and highlights the next blocker (Azure DNS access).
+
 ## 🚀 Quick Fix Commands

 ### Get Azure Resource Keys (for seeding):
--- a/scripts/export-lysnr-kv.sh
+++ b/scripts/export-lysnr-kv.sh
@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# exports all lysnr-* secrets from kv-mywisprai into kv_azure.txt
+set -euo pipefail
+
+VAULT_NAME=${AZURE_KEYVAULT_NAME:-kv-mywisprai}
+OUTFILE=${1:-kv_azure.txt}
+
+echo "📦 Exporting lysnr-* secrets from $VAULT_NAME → $OUTFILE"
+rm -f "$OUTFILE"
+
+secret_names=$(az keyvault secret list \
+  --vault-name "$VAULT_NAME" \
+  --query "[?starts_with(name,'lysnr-')].name" \
+  --output tsv)
+
+for secret in $secret_names; do
+  value=$(az keyvault secret show \
+    --vault-name "$VAULT_NAME" \
+    --name "$secret" \
+    --query "value" \
+    --output tsv)
+  printf "%s=%s\n" "$secret" "$value" >> "$OUTFILE"
+done
+
+echo "✅ Done. Run: cat $OUTFILE"