From 4d78c45e85f4d969445851580d086211c5fb21d3 Mon Sep 17 00:00:00 2001
From: saravanakumardb1 <saravanakumardb1@users.noreply.github.com>
Date: Sun, 15 Feb 2026 00:53:04 -0800
Subject: [PATCH] docs: mark all 13 lysnr-* secrets as seeded, remove kv.txt +
 kv_azure.txt, update audit + rotation docs

---
 .gitignore                                    |  2 +
 .../AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md   |  6 +-
 ...NVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md | 53 ++++++++---------
 docs/devops/kv.txt                            | 57 -------------------
 docs/devops/kv_azure.txt                      | 13 -----
 5 files changed, 30 insertions(+), 101 deletions(-)
 delete mode 100644 docs/devops/kv.txt
 delete mode 100644 docs/devops/kv_azure.txt

diff --git a/.gitignore b/.gitignore
index 2445854b..f6b6f99e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,5 @@ coverage/
 *.p12
 *.pfx
 *.key
+kv.txt
+kv_azure.txt
diff --git a/docs/devops/AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md b/docs/devops/AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md
index 3a472467..5c176169 100644
--- a/docs/devops/AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md
+++ b/docs/devops/AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md
@@ -2,7 +2,7 @@
 
 > **Purpose:** Centralize all secrets in Azure Key Vault and establish a repeatable rotation process.  
 > **Vault:** `kv-mywisprai` in `rg-mywisprai` (East US)  
-> **Last updated:** 2026-02-14
+> **Last updated:** 2026-02-15
 
 ---
 
@@ -29,9 +29,9 @@ All ByteLyst products (LysnrAI, MindLyst, legacy MyWisprAI) share a **single Key
 |---------|--------|---------------|--------|
 | **MindLyst** | `mindlyst-*` | 12 | Fully populated |
 | **MyWisprAI** (legacy) | `wispr-*` | 5 | Legacy desktop secrets |
-| **LysnrAI** | `lysnr-*` | 0 | **NOT SEEDED** — code is ready, vault is empty |
+| **LysnrAI** | `lysnr-*` | 13 | ✅ Seeded (2026-02-15) |
 
-**Total secrets:** 17 (12 MindLyst + 5 MyWisprAI + 0 LysnrAI)
+**Total secrets:** 30 (12 MindLyst + 5 MyWisprAI + 13 LysnrAI)
 
 ### Code Integration Status
 
diff --git a/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md b/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md
index 90bb1aa4..e1fe3cf7 100644
--- a/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md
+++ b/docs/devops/ENVIRONMENT_VARIABLES_AND_KEYVAULT_AUDIT.md
@@ -1,19 +1,17 @@
 # Environment Variables & Azure Key Vault Audit
 
-> **Last Updated:** 2026-02-14  
+> **Last Updated:** 2026-02-15  
 > **Purpose:** Complete audit of environment variables, Azure Key Vault secrets, and gap analysis
 
 ---
 
 ## 🎯 Executive Summary
 
-### Critical Findings:
-1. ❌ **ZERO LysnrAI secrets** exist in Azure Key Vault despite code expecting them
-2. ✅ **MindLyst secrets** are fully populated (12 secrets)
-3. ✅ **MyWisprAI secrets** are partially populated (5 secrets)
-4. ⚠️ **Mismatch** between code expectations and actual Key Vault state
-5. ⚠️ **Missing Stripe secrets** for billing functionality
-6. ⚠️ **Missing Gemini API key** for extraction service
+### Current Status:
+1. ✅ **All 13 LysnrAI secrets** seeded into Azure Key Vault (completed 2026-02-15)
+2. ✅ **MindLyst secrets** fully populated (12 secrets)
+3. ✅ **MyWisprAI secrets** populated (5 legacy `wispr-*` secrets)
+4. ⚠️ **Next action:** Rotate keys exposed in git history (see `AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md`)
 
 ---
 
@@ -53,22 +51,22 @@ The `LYSNR_SECRETS` constant defines these mappings:
 
 | Key Vault Secret Name | Environment Variable | Status in KV | Priority |
 |-----------------------|---------------------|--------------|----------|
-| `lysnr-cosmos-key` | `COSMOS_KEY` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-cosmos-endpoint` | `COSMOS_ENDPOINT` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-jwt-secret` | `JWT_SECRET` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-stripe-secret-key` | `STRIPE_SECRET_KEY` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-stripe-webhook-secret` | `STRIPE_WEBHOOK_SECRET` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-billing-internal-key` | `BILLING_INTERNAL_KEY` | ❌ **MISSING** | 🟠 High |
-| `lysnr-blob-connection-string` | `AZURE_BLOB_CONNECTION_STRING` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-blob-account-key` | `AZURE_BLOB_ACCOUNT_KEY` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-gemini-api-key` | `GEMINI_API_KEY` | ❌ **MISSING** | 🔴 Critical |
-| `lysnr-seed-secret` | `SEED_SECRET` | ❌ **MISSING** | 🟡 Medium |
-| `lysnr-azure-speech-key` | `AZURE_SPEECH_KEY` | ❌ **MISSING** | 🟠 High |
-| `lysnr-azure-openai-key` | `AZURE_OPENAI_KEY` | ❌ **MISSING** | 🟠 High |
-| `lysnr-azure-openai-endpoint` | `AZURE_OPENAI_ENDPOINT` | ❌ **MISSING** | 🟠 High |
+| `lysnr-cosmos-key` | `COSMOS_KEY` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-cosmos-endpoint` | `COSMOS_ENDPOINT` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-jwt-secret` | `JWT_SECRET` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-stripe-secret-key` | `STRIPE_SECRET_KEY` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-stripe-webhook-secret` | `STRIPE_WEBHOOK_SECRET` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-billing-internal-key` | `BILLING_INTERNAL_KEY` | ✅ **Seeded** | 🟠 High |
+| `lysnr-blob-connection-string` | `AZURE_BLOB_CONNECTION_STRING` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-blob-account-key` | `AZURE_BLOB_ACCOUNT_KEY` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-gemini-api-key` | `GEMINI_API_KEY` | ✅ **Seeded** | 🔴 Critical |
+| `lysnr-seed-secret` | `SEED_SECRET` | ✅ **Seeded** | 🟡 Medium |
+| `lysnr-azure-speech-key` | `AZURE_SPEECH_KEY` | ✅ **Seeded** | 🟠 High |
+| `lysnr-azure-openai-key` | `AZURE_OPENAI_KEY` | ✅ **Seeded** | 🟠 High |
+| `lysnr-azure-openai-endpoint` | `AZURE_OPENAI_ENDPOINT` | ✅ **Seeded** | 🟠 High |
 
 **Total Expected:** 13 secrets  
-**Total Missing:** 13 secrets (100%)
+**Total Seeded:** 13 secrets (100%) ✅ — Completed 2026-02-15
 
 ---
 
@@ -437,17 +435,16 @@ pnpm --filter @lysnrai/platform-service dev
 - **Optional/Feature-Specific:** 29+
 
 ### Key Vault Secrets:
-- **Total Secrets in KV:** 17
+- **Total Secrets in KV:** 30
 - **MindLyst Secrets:** 12 ✅
 - **MyWisprAI Secrets:** 5 ⚠️ (legacy `wispr-*` prefix)
-- **LysnrAI Secrets:** 0 ❌ (`lysnr-*` prefix)
+- **LysnrAI Secrets:** 13 ✅ (`lysnr-*` prefix)
 - **Expected LysnrAI Secrets:** 13
-- **Coverage Gap:** 100%
+- **Coverage Gap:** 0%
 
 ### Priority Actions:
-- 🔴 **Critical (6):** Cosmos DB, JWT, Gemini, Blob Storage
-- 🟠 **High (6):** Stripe, Speech, OpenAI, Billing internal key
-- 🟡 **Medium (1):** Seed secret
+- ✅ All 13 `lysnr-*` secrets seeded (2026-02-15)
+- ⚠️ **Next:** Rotate keys that were exposed in git history (see `AZURE_KEY_VAULT_AND_SECRETS_ROTATION.md`)
 
 ---
 
diff --git a/docs/devops/kv.txt b/docs/devops/kv.txt
deleted file mode 100644
index 7a5327b9..00000000
--- a/docs/devops/kv.txt
+++ /dev/null
@@ -1,57 +0,0 @@
-# ============================================================
-# LysnrAI — Azure Key Vault Seed Script (kv-mywisprai)
-# Generated: 2026-02-14
-# Source: git history scan across learning_voice_ai_agent
-#
-# USAGE:
-#   az login
-#   bash kv.txt
-#
-# After seeding, DELETE this file:
-#   rm kv.txt
-# ============================================================
-
-VAULT="kv-mywisprai"
-
-echo "=== Seeding 12 lysnr-* secrets into $VAULT ==="
-echo "(GEMINI_API_KEY not found in history — must be added manually)"
-echo ""
-
-# 1. Cosmos DB
-az keyvault secret set --vault-name "$VAULT" --name lysnr-cosmos-endpoint --value "https://cosmos-mywisprai.documents.azure.com:443/" -o none && echo "✓ lysnr-cosmos-endpoint"
-az keyvault secret set --vault-name "$VAULT" --name lysnr-cosmos-key --value "ilrRBdBix1YbTHBQuBhLrolhb7KGqrbuwFDgX0vyfBkCXgvzLuM22ca1wYrIUSWA9FnV7EDXvhXpACDbI58Oxg==" -o none && echo "✓ lysnr-cosmos-key"
-
-# 2. JWT
-az keyvault secret set --vault-name "$VAULT" --name lysnr-jwt-secret --value "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2" -o none && echo "✓ lysnr-jwt-secret"
-
-# 3. Stripe
-az keyvault secret set --vault-name "$VAULT" --name lysnr-stripe-secret-key --value "sk_test_51Mi3ICFsHXIhNSq6HQ9oMvXsk7uDykP7Vd8omxnOixgvhd5vcpOaBWKpTQLM95ewJXiPWks8FhMkgREkwDkzesIb00XTH9URa4" -o none && echo "✓ lysnr-stripe-secret-key"
-az keyvault secret set --vault-name "$VAULT" --name lysnr-stripe-webhook-secret --value "whsec_c27f28b42e16988e3f2331be6bbc7f968f5ffbcb133a6a8a7260dcbbb3977775" -o none && echo "✓ lysnr-stripe-webhook-secret"
-
-# 4. Billing
-az keyvault secret set --vault-name "$VAULT" --name lysnr-billing-internal-key --value "lysnrai-billing-internal-key-dev" -o none && echo "✓ lysnr-billing-internal-key"
-
-# 5. Blob Storage
-az keyvault secret set --vault-name "$VAULT" --name lysnr-blob-connection-string --value "DefaultEndpointsProtocol=https;AccountName=bytelystblobs;AccountKey=Ekeeu7ZlXs5R1ldkQbnuHmygjneY8E4Fg4cyE3hNiDpOA5TKsOevRBfZ3H1+uNDxPFn/z0OazlOt+AStf+rtbA==;EndpointSuffix=core.windows.net" -o none && echo "✓ lysnr-blob-connection-string"
-az keyvault secret set --vault-name "$VAULT" --name lysnr-blob-account-key --value "Ekeeu7ZlXs5R1ldkQbnuHmygjneY8E4Fg4cyE3hNiDpOA5TKsOevRBfZ3H1+uNDxPFn/z0OazlOt+AStf+rtbA==" -o none && echo "✓ lysnr-blob-account-key"
-
-# 6. Seed Secret
-az keyvault secret set --vault-name "$VAULT" --name lysnr-seed-secret --value "lysnrai-seed-2026" -o none && echo "✓ lysnr-seed-secret"
-
-# 7. Azure Speech
-az keyvault secret set --vault-name "$VAULT" --name lysnr-azure-speech-key --value "4pgudDQ7agbXVB2H96vhTwJRsrD0Ht51MBqmCO4rzV9lkHqcp7vDJQQJ99CBACYeBjFXJ3w3AAAYACOG0Z0v" -o none && echo "✓ lysnr-azure-speech-key"
-
-# 8. Azure OpenAI
-az keyvault secret set --vault-name "$VAULT" --name lysnr-azure-openai-key --value "C15AdlJ4FujhfCGNaZyt9qOC0F3cRjrXuIYtvDX04CWif6fmQdqWJQQJ99CBACfhMk5XJ3w3AAABACOGBKgJ" -o none && echo "✓ lysnr-azure-openai-key"
-az keyvault secret set --vault-name "$VAULT" --name lysnr-azure-openai-endpoint --value "https://swedencentral.api.cognitive.microsoft.com/" -o none && echo "✓ lysnr-azure-openai-endpoint"
-
-echo ""
-echo "=== Done: 12/13 secrets seeded ==="
-echo ""
-echo "⚠️  MANUAL ACTION REQUIRED:"
-echo "   Get from: https://aistudio.google.com/apikey"
-echo ""
-echo "🗑️  DELETE THIS FILE NOW: rm kv.txt"
-
-# 9. Gemini API Key (provided manually)
-az keyvault secret set --vault-name "$VAULT" --name lysnr-gemini-api-key --value "AIzaSyCyx2Eehv1UfSgoZIh0GqU-pnQr9vSxISs" -o none && echo "✓ lysnr-gemini-api-key"
diff --git a/docs/devops/kv_azure.txt b/docs/devops/kv_azure.txt
deleted file mode 100644
index a19cae3c..00000000
--- a/docs/devops/kv_azure.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-lysnr-azure-openai-endpoint=https://swedencentral.api.cognitive.microsoft.com/
-lysnr-azure-openai-key=C15AdlJ4FujhfCGNaZyt9qOC0F3cRjrXuIYtvDX04CWif6fmQdqWJQQJ99CBACfhMk5XJ3w3AAABACOGBKgJ
-lysnr-azure-speech-key=4pgudDQ7agbXVB2H96vhTwJRsrD0Ht51MBqmCO4rzV9lkHqcp7vDJQQJ99CBACYeBjFXJ3w3AAAYACOG0Z0v
-lysnr-billing-internal-key=lysnrai-billing-internal-key-dev
-lysnr-blob-account-key=Ekeeu7ZlXs5R1ldkQbnuHmygjneY8E4Fg4cyE3hNiDpOA5TKsOevRBfZ3H1+uNDxPFn/z0OazlOt+AStf+rtbA==
-lysnr-blob-connection-string=DefaultEndpointsProtocol=https;AccountName=bytelystblobs;AccountKey=Ekeeu7ZlXs5R1ldkQbnuHmygjneY8E4Fg4cyE3hNiDpOA5TKsOevRBfZ3H1+uNDxPFn/z0OazlOt+AStf+rtbA==;EndpointSuffix=core.windows.net
-lysnr-cosmos-endpoint=https://cosmos-mywisprai.documents.azure.com:443/
-lysnr-cosmos-key=ilrRBdBix1YbTHBQuBhLrolhb7KGqrbuwFDgX0vyfBkCXgvzLuM22ca1wYrIUSWA9FnV7EDXvhXpACDbI58Oxg==
-lysnr-gemini-api-key=AIzaSyCyx2Eehv1UfSgoZIh0GqU-pnQr9vSxISs
-lysnr-jwt-secret=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2
-lysnr-seed-secret=lysnrai-seed-2026
-lysnr-stripe-secret-key=sk_test_51Mi3ICFsHXIhNSq6HQ9oMvXsk7uDykP7Vd8omxnOixgvhd5vcpOaBWKpTQLM95ewJXiPWks8FhMkgREkwDkzesIb00XTH9URa4
-lysnr-stripe-webhook-secret=whsec_c27f28b42e16988e3f2331be6bbc7f968f5ffbcb133a6a8a7260dcbbb3977775