50 lines
1.5 KiB
Markdown
50 lines
1.5 KiB
Markdown
# Secret Rotation Runbook
|
|
|
|
Date: 2026-02-15
|
|
Scope: bot service + dashboard deployment secrets
|
|
|
|
## Objective
|
|
|
|
Rotate all production credentials on a fixed cadence and after any suspected leak, while preserving service continuity.
|
|
|
|
## Rotation Scope
|
|
|
|
- Supabase:
|
|
- `SUPABASE_KEY` / service-role key used by bot service
|
|
- JWT settings (`SUPABASE_JWT_ISSUER`, `SUPABASE_JWT_AUDIENCE`) verification values
|
|
- Exchange credentials:
|
|
- `ALPACA_API_KEY`, `ALPACA_API_SECRET`
|
|
- `REAL_ALPACA_API_KEY`, `REAL_ALPACA_API_SECRET`
|
|
- AI provider keys:
|
|
- `OPENAI_API_KEY`
|
|
- `GEMINI_API_KEY`
|
|
- `PERPLEXITY_API_KEY`
|
|
- Notification/API integration keys (if configured)
|
|
|
|
## Rotation Procedure
|
|
|
|
1. Create new credentials in provider consoles.
|
|
2. Update secret stores (CI/CD, Azure, Vercel, etc.) with new values.
|
|
3. Deploy bot and dashboard with new secret versions.
|
|
4. Validate:
|
|
- bot startup + auth checks
|
|
- exchange order placement dry-run path
|
|
- dashboard auth and websocket connectivity
|
|
5. Revoke old credentials only after validation window.
|
|
6. Record rotation date, actor, and affected systems in release notes.
|
|
|
|
## Enforcement
|
|
|
|
- CI includes executable secret hygiene scan:
|
|
- `scripts/verifySecretHygiene.ts`
|
|
- Gitleaks workflow remains enabled on push/PR.
|
|
- Never commit real secrets into tracked files (`.env`, docs, scripts, configs).
|
|
|
|
## Cadence
|
|
|
|
- Standard: every 30 days
|
|
- Immediate rotation triggers:
|
|
- Secret leaked in logs/repo/chat/email
|
|
- Access control incident
|
|
- Team-member offboarding
|