docs: mark all 13 lysnr-* secrets as seeded, remove kv.txt + kv_azure.txt, update audit + rotation docs

2026-02-15 00:53:04 -08:00 · 2026-02-15 00:53:04 -08:00 · 4d78c45e85
commit 4d78c45e85
parent 7b529b420c
5 changed files with 30 additions and 101 deletions
--- a/.gitignore
+++ b/.gitignore
@ -12,3 +12,5 @@ coverage/
 *.p12
 *.pfx
 *.key
+kv.txt
+kv_azure.txt
--- a/docs/devops/AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md
+++ b/docs/devops/AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md
@ -2,7 +2,7 @@

 > **Purpose:** Centralize all secrets in Azure Key Vault and establish a repeatable rotation process.  
 > **Vault:** `kv-mywisprai` in `rg-mywisprai` (East US)  
-> **Last updated:** 2026-02-14
+> **Last updated:** 2026-02-15

 ---

@ -29,9 +29,9 @@ All ByteLyst products (LysnrAI, MindLyst, legacy MyWisprAI) share a **single Key
 |---------|--------|---------------|--------|
 | **MindLyst** | `mindlyst-*` | 12 | Fully populated |
 | **MyWisprAI** (legacy) | `wispr-*` | 5 | Legacy desktop secrets |
-| **LysnrAI** | `lysnr-*` | 0 | **NOT SEEDED** — code is ready, vault is empty |
+| **LysnrAI** | `lysnr-*` | 13 | ✅ Seeded (2026-02-15) |

-**Total secrets:** 17 (12 MindLyst + 5 MyWisprAI + 0 LysnrAI)
+**Total secrets:** 30 (12 MindLyst + 5 MyWisprAI + 13 LysnrAI)

 ### Code Integration Status

--- a/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md
+++ b/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md
@ -1,19 +1,17 @@
 # Environment Variables & Azure Key Vault Audit

-> **Last Updated:** 2026-02-14  
+> **Last Updated:** 2026-02-15  
 > **Purpose:** Complete audit of environment variables, Azure Key Vault secrets, and gap analysis

 ---

 ## 🎯 Executive Summary

-### Critical Findings:
-1. ❌ **ZERO LysnrAI secrets** exist in Azure Key Vault despite code expecting them
-2. ✅ **MindLyst secrets** are fully populated (12 secrets)
-3. ✅ **MyWisprAI secrets** are partially populated (5 secrets)
-4. ⚠️ **Mismatch** between code expectations and actual Key Vault state
-5. ⚠️ **Missing Stripe secrets** for billing functionality
-6. ⚠️ **Missing Gemini API key** for extraction service
+### Current Status:
+1. ✅ **All 13 LysnrAI secrets** seeded into Azure Key Vault (completed 2026-02-15)
+2. ✅ **MindLyst secrets** fully populated (12 secrets)
+3. ✅ **MyWisprAI secrets** populated (5 legacy `wispr-*` secrets)
+4. ⚠️ **Next action:** Rotate keys exposed in git history (see `AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md`)

 ---

@ -53,22 +51,22 @@ The `LYSNR_SECRETS` constant defines these mappings:

 | Key Vault Secret Name | Environment Variable | Status in KV | Priority |
 |-----------------------|---------------------|--------------|----------|
-| `lysnr-cosmos-key` | `COSMOS_KEY` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-cosmos-endpoint` | `COSMOS_ENDPOINT` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-jwt-secret` | `JWT_SECRET` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-stripe-secret-key` | `STRIPE_SECRET_KEY` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-stripe-webhook-secret` | `STRIPE_WEBHOOK_SECRET` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-billing-internal-key` | `BILLING_INTERNAL_KEY` | ❌ **MISSING** | 🟠 High |
-| `lysnr-blob-connection-string` | `AZURE_BLOB_CONNECTION_STRING` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-blob-account-key` | `AZURE_BLOB_ACCOUNT_KEY` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-gemini-api-key` | `GEMINI_API_KEY` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-seed-secret` | `SEED_SECRET` | ❌ **MISSING** | 🟡 Medium |
-| `lysnr-azure-speech-key` | `AZURE_SPEECH_KEY` | ❌ **MISSING** | 🟠 High |
-| `lysnr-azure-openai-key` | `AZURE_OPENAI_KEY` | ❌ **MISSING** | 🟠 High |
-| `lysnr-azure-openai-endpoint` | `AZURE_OPENAI_ENDPOINT` | ❌ **MISSING** | 🟠 High |
+| `lysnr-cosmos-key` | `COSMOS_KEY` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-cosmos-endpoint` | `COSMOS_ENDPOINT` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-jwt-secret` | `JWT_SECRET` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-stripe-secret-key` | `STRIPE_SECRET_KEY` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-stripe-webhook-secret` | `STRIPE_WEBHOOK_SECRET` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-billing-internal-key` | `BILLING_INTERNAL_KEY` | ✅ **Seeded** | 🟠 High |
+| `lysnr-blob-connection-string` | `AZURE_BLOB_CONNECTION_STRING` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-blob-account-key` | `AZURE_BLOB_ACCOUNT_KEY` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-gemini-api-key` | `GEMINI_API_KEY` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-seed-secret` | `SEED_SECRET` | ✅ **Seeded** | 🟡 Medium |
+| `lysnr-azure-speech-key` | `AZURE_SPEECH_KEY` | ✅ **Seeded** | 🟠 High |
+| `lysnr-azure-openai-key` | `AZURE_OPENAI_KEY` | ✅ **Seeded** | 🟠 High |
+| `lysnr-azure-openai-endpoint` | `AZURE_OPENAI_ENDPOINT` | ✅ **Seeded** | 🟠 High |

 **Total Expected:** 13 secrets  
-**Total Missing:** 13 secrets (100%)
+**Total Seeded:** 13 secrets (100%) ✅ — Completed 2026-02-15

 ---

@ -437,17 +435,16 @@ pnpm --filter @lysnrai/platform-service dev
 - **Optional/Feature-Specific:** 29+

 ### Key Vault Secrets:
- **Total Secrets in KV:** 17
+- **Total Secrets in KV:** 30
 - **MindLyst Secrets:** 12 ✅
 - **MyWisprAI Secrets:** 5 ⚠️ (legacy `wispr-*` prefix)
- **LysnrAI Secrets:** 0 ❌ (`lysnr-*` prefix)
+- **LysnrAI Secrets:** 13 ✅ (`lysnr-*` prefix)
 - **Expected LysnrAI Secrets:** 13
- **Coverage Gap:** 100%
+- **Coverage Gap:** 0%

 ### Priority Actions:
- 🔴 **Critical (6):** Cosmos DB, JWT, Gemini, Blob Storage
- 🟠 **High (6):** Stripe, Speech, OpenAI, Billing internal key
- 🟡 **Medium (1):** Seed secret
+- ✅ All 13 `lysnr-*` secrets seeded (2026-02-15)
+- ⚠️ **Next:** Rotate keys that were exposed in git history (see `AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md`)

 ---

--- a/docs/devops/kv.txt
+++ b/docs/devops/kv.txt
@ -1,57 +0,0 @@
-# ============================================================
-# LysnrAI — Azure Key Vault Seed Script (kv-mywisprai)
-# Generated: 2026-02-14
-# Source: git history scan across learning_voice_ai_agent
-#
-# USAGE:
-#   az login
-#   bash kv.txt
-#
-# After seeding, DELETE this file:
-#   rm kv.txt
-# ============================================================
-
-VAULT="kv-mywisprai"
-
-echo "=== Seeding 12 lysnr-* secrets into $VAULT ==="
-echo "(GEMINI_API_KEY not found in history — must be added manually)"
-echo ""
-
-# 1. Cosmos DB
-az keyvault secret set --vault-name "$VAULT" --name lysnr-cosmos-endpoint --value "https://cosmos-mywisprai.documents.azure.com:443/" -o none && echo "✓ lysnr-cosmos-endpoint"
-az keyvault secret set --vault-name "$VAULT" --name lysnr-cosmos-key --value "ilrRBdBix1YbTHBQuBhLrolhb7KGqrbuwFDgX0vyfBkCXgvzLuM22ca1wYrIUSWA9FnV7EDXvhXpACDbI58Oxg==" -o none && echo "✓ lysnr-cosmos-key"
-
-# 2. JWT
-az keyvault secret set --vault-name "$VAULT" --name lysnr-jwt-secret --value "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2" -o none && echo "✓ lysnr-jwt-secret"
-
-# 3. Stripe
-az keyvault secret set --vault-name "$VAULT" --name lysnr-stripe-secret-key --value "sk_test_51Mi3ICFsHXIhNSq6HQ9oMvXsk7uDykP7Vd8omxnOixgvhd5vcpOaBWKpTQLM95ewJXiPWks8FhMkgREkwDkzesIb00XTH9URa4" -o none && echo "✓ lysnr-stripe-secret-key"
-az keyvault secret set --vault-name "$VAULT" --name lysnr-stripe-webhook-secret --value "whsec_c27f28b42e16988e3f2331be6bbc7f968f5ffbcb133a6a8a7260dcbbb3977775" -o none && echo "✓ lysnr-stripe-webhook-secret"
-
-# 4. Billing
-az keyvault secret set --vault-name "$VAULT" --name lysnr-billing-internal-key --value "lysnrai-billing-internal-key-dev" -o none && echo "✓ lysnr-billing-internal-key"
-
-# 5. Blob Storage
-az keyvault secret set --vault-name "$VAULT" --name lysnr-blob-connection-string --value "DefaultEndpointsProtocol=https;AccountName=bytelystblobs;AccountKey=Ekeeu7ZlXs5R1ldkQbnuHmygjneY8E4Fg4cyE3hNiDpOA5TKsOevRBfZ3H1+uNDxPFn/z0OazlOt+AStf+rtbA==;EndpointSuffix=core.windows.net" -o none && echo "✓ lysnr-blob-connection-string"
-az keyvault secret set --vault-name "$VAULT" --name lysnr-blob-account-key --value "Ekeeu7ZlXs5R1ldkQbnuHmygjneY8E4Fg4cyE3hNiDpOA5TKsOevRBfZ3H1+uNDxPFn/z0OazlOt+AStf+rtbA==" -o none && echo "✓ lysnr-blob-account-key"
-
-# 6. Seed Secret
-az keyvault secret set --vault-name "$VAULT" --name lysnr-seed-secret --value "lysnrai-seed-2026" -o none && echo "✓ lysnr-seed-secret"
-
-# 7. Azure Speech
-az keyvault secret set --vault-name "$VAULT" --name lysnr-azure-speech-key --value "4pgudDQ7agbXVB2H96vhTwJRsrD0Ht51MBqmCO4rzV9lkHqcp7vDJQQJ99CBACYeBjFXJ3w3AAAYACOG0Z0v" -o none && echo "✓ lysnr-azure-speech-key"
-
-# 8. Azure OpenAI
-az keyvault secret set --vault-name "$VAULT" --name lysnr-azure-openai-key --value "C15AdlJ4FujhfCGNaZyt9qOC0F3cRjrXuIYtvDX04CWif6fmQdqWJQQJ99CBACfhMk5XJ3w3AAABACOGBKgJ" -o none && echo "✓ lysnr-azure-openai-key"
-az keyvault secret set --vault-name "$VAULT" --name lysnr-azure-openai-endpoint --value "https://swedencentral.api.cognitive.microsoft.com/" -o none && echo "✓ lysnr-azure-openai-endpoint"
-
-echo ""
-echo "=== Done: 12/13 secrets seeded ==="
-echo ""
-echo "⚠️  MANUAL ACTION REQUIRED:"
-echo "   Get from: https://aistudio.google.com/apikey"
-echo ""
-echo "🗑️  DELETE THIS FILE NOW: rm kv.txt"
-
-# 9. Gemini API Key (provided manually)
-az keyvault secret set --vault-name "$VAULT" --name lysnr-gemini-api-key --value "AIzaSyCyx2Eehv1UfSgoZIh0GqU-pnQr9vSxISs" -o none && echo "✓ lysnr-gemini-api-key"
--- a/docs/devops/kv_azure.txt
+++ b/docs/devops/kv_azure.txt
@ -1,13 +0,0 @@
-lysnr-azure-openai-endpoint=https://swedencentral.api.cognitive.microsoft.com/
-lysnr-azure-openai-key=C15AdlJ4FujhfCGNaZyt9qOC0F3cRjrXuIYtvDX04CWif6fmQdqWJQQJ99CBACfhMk5XJ3w3AAABACOGBKgJ
-lysnr-azure-speech-key=4pgudDQ7agbXVB2H96vhTwJRsrD0Ht51MBqmCO4rzV9lkHqcp7vDJQQJ99CBACYeBjFXJ3w3AAAYACOG0Z0v
-lysnr-billing-internal-key=lysnrai-billing-internal-key-dev
-lysnr-blob-account-key=Ekeeu7ZlXs5R1ldkQbnuHmygjneY8E4Fg4cyE3hNiDpOA5TKsOevRBfZ3H1+uNDxPFn/z0OazlOt+AStf+rtbA==
-lysnr-blob-connection-string=DefaultEndpointsProtocol=https;AccountName=bytelystblobs;AccountKey=Ekeeu7ZlXs5R1ldkQbnuHmygjneY8E4Fg4cyE3hNiDpOA5TKsOevRBfZ3H1+uNDxPFn/z0OazlOt+AStf+rtbA==;EndpointSuffix=core.windows.net
-lysnr-cosmos-endpoint=https://cosmos-mywisprai.documents.azure.com:443/
-lysnr-cosmos-key=ilrRBdBix1YbTHBQuBhLrolhb7KGqrbuwFDgX0vyfBkCXgvzLuM22ca1wYrIUSWA9FnV7EDXvhXpACDbI58Oxg==
-lysnr-gemini-api-key=AIzaSyCyx2Eehv1UfSgoZIh0GqU-pnQr9vSxISs
-lysnr-jwt-secret=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2
-lysnr-seed-secret=lysnrai-seed-2026
-lysnr-stripe-secret-key=sk_test_51Mi3ICFsHXIhNSq6HQ9oMvXsk7uDykP7Vd8omxnOixgvhd5vcpOaBWKpTQLM95ewJXiPWks8FhMkgREkwDkzesIb00XTH9URa4
-lysnr-stripe-webhook-secret=whsec_c27f28b42e16988e3f2331be6bbc7f968f5ffbcb133a6a8a7260dcbbb3977775