# Secret Rotation Runbook

Date: 2026-02-15  
Scope: bot service + dashboard deployment secrets

## Objective

Rotate all production credentials on a fixed cadence and after any suspected leak, while preserving service continuity.

## Rotation Scope

- Supabase:
  - `SUPABASE_KEY` / service-role key used by bot service
  - JWT settings (`SUPABASE_JWT_ISSUER`, `SUPABASE_JWT_AUDIENCE`) verification values
- Exchange credentials:
  - `ALPACA_API_KEY`, `ALPACA_API_SECRET`
  - `REAL_ALPACA_API_KEY`, `REAL_ALPACA_API_SECRET`
- AI provider keys:
  - `OPENAI_API_KEY`
  - `GEMINI_API_KEY`
  - `PERPLEXITY_API_KEY`
- Notification/API integration keys (if configured)

## Rotation Procedure

1. Create new credentials in provider consoles.
2. Update secret stores (CI/CD, Azure, Vercel, etc.) with new values.
3. Deploy bot and dashboard with new secret versions.
4. Validate:
   - bot startup + auth checks
   - exchange order placement dry-run path
   - dashboard auth and websocket connectivity
5. Revoke old credentials only after validation window.
6. Record rotation date, actor, and affected systems in release notes.

## Enforcement

- CI includes executable secret hygiene scan:
  - `scripts/verifySecretHygiene.ts`
- Gitleaks workflow remains enabled on push/PR.
- Never commit real secrets into tracked files (`.env`, docs, scripts, configs).

## Cadence

- Standard: every 30 days
- Immediate rotation triggers:
  - Secret leaked in logs/repo/chat/email
  - Access control incident
  - Team-member offboarding