Secrets Rotation Log
Every rotation appends a row. Newest first.
| Date | Secret | Reason | Rotator | Confirmed in sync |
|---|---|---|---|---|
| 2026-06-17 | GRAFANA_ADMIN_PASSWORD | LLM session exposure 2026-06-17 — BusyBox wget echoed password in error output during dashboard screenshot session; appeared in Claude transcript | claude | yes — Infisical CE + GH Secret + Grafana API live update; login verified |
| 2026-06-13 | P24_INFRA_WASABI_ACCESS_KEY | key QPFW4QRI2A6JUFFKR2PD existed in Wasabi IAM but gave InvalidAccessKeyId on S3 eu-central-2; rotated via Wasabi IAM API | claude | yes |
| 2026-06-13 | P24_INFRA_WASABI_SECRET_KEY | rotated together with access key above | claude | yes |
| 2026-06-13 | SUPABASE_DB_PASSWORD | stale password detected during VACUUM FULL maintenance session | radieu | yes |
| 2026-06-12 | P24_INFRA_WASABI_ACCESS_KEY | key lost — backup-exporter 65+ errors | radieu | yes |
| 2026-06-12 | P24_INFRA_WASABI_SECRET_KEY | key lost — backup-exporter 65+ errors | radieu | yes |
| 2026-05-13 | SUPABASE_GRAFANA_PASSWORD | bootstrap | radieu | n/a |
| 2026-05-13 | WASABI_ACCESS_KEY_ECOTRANS_MONITORING | bootstrap | radieu | n/a |
| 2026-05-13 | WASABI_SECRET_KEY_ECOTRANS_MONITORING | bootstrap | radieu | n/a |
| 2026-05-13 | WASABI_ACCESS_KEY_P24_INFRA | bootstrap | radieu | n/a |
| 2026-05-13 | WASABI_SECRET_KEY_P24_INFRA | bootstrap | radieu | n/a |
| 2026-05-13 | CLOUDFLARE_TOKEN_ZINTEGROWANA | bootstrap | radieu | n/a |
| 2026-05-13 | GRAFANA_ADMIN_PASSWORD | bootstrap | radieu | n/a |
| 2026-05-13 | MYSQL_PASSWORD | bootstrap | radieu | n/a |
| 2026-05-13 | SMTP_USER | bootstrap | radieu | n/a |
| 2026-05-13 | SMTP_PASSWORD | bootstrap | radieu | n/a |
| 2026-05-13 | EMAIL_SENDER_API_KEY | bootstrap | radieu | n/a |
| 2026-05-13 | WAHA_API_KEY | bootstrap | radieu | n/a |
| 2026-05-13 | HSTGR_N8N_API_KEY | bootstrap | radieu | n/a |
| 2026-05-13 | HSTGR_N8N_MCP_TOKEN | bootstrap | radieu | n/a |
| 2026-05-13 | ATRAX_AUTH_STRING | bootstrap | radieu | n/a |
| 2026-05-13 | OPENAI_MONITORING_TOKEN | bootstrap | radieu | n/a |
| 2026-05-13 | TRELLO_API_KEY | bootstrap | radieu | n/a |
| 2026-05-13 | TRELLO_TOKEN | bootstrap | radieu | n/a |
| 2026-05-13 | DISCORD_WEBHOOK_URL | bootstrap | radieu | n/a |
| 2026-05-13 | P24_DISCORD_INFRA_SCRIPTS_ERRORS_WEBHOOK_URL | bootstrap | radieu | n/a |
| 2026-05-13 | SSH_KEY_ROOT | bootstrap | radieu | n/a |
| 2026-05-13 | SSH_KEY_CLAUDE_ADMIN | bootstrap | radieu | n/a |
| 2026-05-13 | VPS1_HOSTINGER_ROOT_PASSWORD | bootstrap | radieu | n/a |
| 2026-05-08 | SUPABASE_SERVICE_ROLE_KEY | LLM session exposure 2026-05-06 | radieu | yes |
| 2026-05-08 | SUPABASE_ACCESS_TOKEN | LLM session exposure 2026-05-06 | radieu | yes |
| 2026-05-08 | SENTRY_AUTH_TOKEN | LLM session exposure 2026-05-06 | radieu | yes |
| 2026-05-08 | VERCEL_TOKEN | LLM session exposure 2026-05-06 | radieu | yes |
| 2026-05-08 | GITHUB_PAT | LLM session exposure 2026-05-06 | radieu | yes |
| 2026-05-08 | ANTHROPIC_API_KEY | LLM session exposure 2026-05-06 | radieu | yes |
2026-06-13 — SUPABASE_DB_PASSWORD rotation
- Credential:
SUPABASE_DB_PASSWORD— postgres superuser password for Supabase projectmwkqmgadqnkkihjdeqsi - Trigger: stale password detected during a VACUUM FULL maintenance session; rotation was overdue (previous rotation: 2026-05-08)
- API method:
PATCH https://api.supabase.com/v1/projects/mwkqmgadqnkkihjdeqsi/database/passwordwithAuthorization: Bearer SUPABASE_ACCESS_TOKEN(discovered that PUT and POST return 404 — PATCH is the correct verb) - Updated in:
- Local workstation:
d:\code_2026\p24-infra\.env.local—SUPABASE_DB_PASSWORD - GitHub Secret:
SUPABASE_DB_PASSWORD
- Local workstation:
- NOT updated (not needed):
- vps-i1
monitoring/.env— Grafana uses the separategrafana_readonlyrole (SUPABASE_GRAFANA_PASSWORD);db-maintenance.pyruns via GitHub Actions and readsSUPABASE_DB_PASSWORDfrom GH Secrets directly
- vps-i1
- Next rotation due: 2026-09-13 (90 days)
2026-06-12 — Wasabi p24-infra IAM key rotation
- User:
p24-infra(arn:aws:iam::100000049371:user/p24-infra) - Bucket:
p24-infra(region: eu-central-2, endpoint:s3.eu-central-2.wasabisys.com) - Keys deleted:
RIEWOBR6...(previous active key, lost/deleted from console),FE6Q...3OHO(stale),0BSP...XSHA(stale) — all three were invalid at time of discovery - New key:
QPFW...R2PD(access key ID prefix only; full key in.env.local) - Updated in:
- GitHub Secrets:
P24_INFRA_WASABI_ACCESS_KEY,P24_INFRA_WASABI_SECRET_KEY - VPS vps-i1:
/opt/p24-infra/monitoring/.env - Local workstation:
d:\code_2026\p24-infra\.env.local
- GitHub Secrets:
- Root cause: Previous key
RIEWOBR6...was deleted from the Wasabi console without updating any of the consumers. Thebackup-exportercontainer was additionally misconfigured — it pointed at bucketecotrans-monitoring(eu-central-1) using the generalWASABI_ACCESS_KEYenv var instead of the correct bucketp24-infra(eu-central-2) withP24_INFRA_WASABI_ACCESS_KEY. This resulted in 65+ consecutive errors. - Related fix: PR #440 — corrected bucket name (
p24-infra), region (eu-central-2), and env var (P24_INFRA_WASABI_ACCESS_KEY) inmonitoring/docker-compose.ymlfor thebackup-exporterservice. - Next rotation due: 2026-09-12 (90 days — shortened from 180d due to this incident)
Conventions
- Date — UTC, ISO
YYYY-MM-DD. - Secret — uppercase env-var-style name (e.g.
GRAFANA_ADMIN_PASSWORD). - Reason — one of:
scheduled,compromise,incident,hygiene,bootstrap,LLM session, free text. - Rotator — handle of the human who pushed the rotation commit.
- Confirmed in sync —
yes/no/n/aonce thesecrets-syncworkflow has run green and the VPS has the new value live.
Append, never edit. If a row was wrong, append a correction row below it.