bytelyst/learning_ai_invt_trdg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6b37cb059e
learning_ai_invt_trdg/backend/SECRET_ROTATION_RUNBOOK.md

1.5 KiB
Raw Blame History

Secret Rotation Runbook

Date: 2026-02-15
Scope: bot service + dashboard deployment secrets

Objective

Rotate all production credentials on a fixed cadence and after any suspected leak, while preserving service continuity.

Rotation Scope

  • Supabase:
    • SUPABASE_KEY / service-role key used by bot service
    • JWT settings (SUPABASE_JWT_ISSUER, SUPABASE_JWT_AUDIENCE) verification values
  • Exchange credentials:
    • ALPACA_API_KEY, ALPACA_API_SECRET
    • REAL_ALPACA_API_KEY, REAL_ALPACA_API_SECRET
  • AI provider keys:
    • OPENAI_API_KEY
    • GEMINI_API_KEY
    • PERPLEXITY_API_KEY
  • Notification/API integration keys (if configured)

Rotation Procedure

  1. Create new credentials in provider consoles.
  2. Update secret stores (CI/CD, Azure, Vercel, etc.) with new values.
  3. Deploy bot and dashboard with new secret versions.
  4. Validate:
    • bot startup + auth checks
    • exchange order placement dry-run path
    • dashboard auth and websocket connectivity
  5. Revoke old credentials only after validation window.
  6. Record rotation date, actor, and affected systems in release notes.

Enforcement

  • CI includes executable secret hygiene scan:
    • scripts/verifySecretHygiene.ts
  • Gitleaks workflow remains enabled on push/PR.
  • Never commit real secrets into tracked files (.env, docs, scripts, configs).

Cadence

  • Standard: every 30 days
  • Immediate rotation triggers:
    • Secret leaked in logs/repo/chat/email
    • Access control incident
    • Team-member offboarding