Credential Rotation Checklist¶
Status¶
Triage complete on current daily-scrub audit log (59 entries, generated 2026-04-21). Do not rotate anything without Morgan sign-off.
Audit log gap flagged: This log (59 entries) is the daily automated scrub output. Morgan's travel-window dispatch and Eva's iOS recovery reference a larger manual audit (68 + 41 + 4 redactions) that identified real AWS
AKIA*keys and 6 Airtable PATs — those do NOT appear in this log. Morgan needs to share the comprehensive audit source or the specific source files before the AWS + Airtable rotation targets can be confirmed. See Section 1C.
Triage source: /Claude/operations/logs/credential-scrub-audit.md
Section 1 — Credential Triage¶
1A — Confirmed False Positives (42 of 59 entries — safe to ignore)¶
| Snippet pattern | Files | Reason |
|---|---|---|
00000000... |
Project-Manager_8511c636 | Zero string — not a credential format |
========... (8 entries) |
CDO_0e480545, Project-Manager_b3f06027 | Markdown horizontal rule separators |
/Users/r... (8 entries) |
CDO_d45ac85a, CDO_a6650a10, CMO_ff92fad7, CMO_f172b0ba, Code.Assistant_08379b83 | Filesystem path fragments |
/project... (3 entries) |
Security.Ops_1ee115f2, CDO_9d8ca969, CDO_fbecd7c6 | Vault path fragments |
Active/C..., Claude/k... (3 entries) |
project.manager files | Vault path fragments |
res/ecos..., on/displ... (4 entries) |
CDO_a6650a10 (Apr 5 + Apr 7, same session) | "resources/ecomonetize", "on/display" path fragments |
m/archiv... |
Mining.Mind_42ba8d8a | "m/archive" URL path fragment |
com/wedd... (3), wedding/... (2) |
Personal.Admin_a41d7528 | Wedding URL — personal admin session |
ttings/p... |
Revenue.OS_720fb522 | "settings/path" fragment |
ccelerat..., einforce..., hlist/in... |
Financial.Research_37c42803 | English word fragments ("accelerate", "reinforce", "hlist/index") |
nds/Aust... |
CDO_0e480545 | Likely "lands/Australia" or "funds/Austin" — path fragment |
dIn/Blog... |
CDO_9d8ca969 | "LinkedIn/Blog" URL fragment |
873E03D3..., 35f58a1b... (x2), 88fe4f52... |
Code.Assistant_466c41ea, CDO_a6650a10, CDO_fbecd7c6 | Git commit hashes — not credentials |
1B — Real / Likely Real (10 entries → up to 8 distinct credentials)¶
Rotate in priority order:
| Priority | Snippet | Source file | Credential type (best guess) | Evidence | Rotation status |
|---|---|---|---|---|---|
| P1 | /rnjiwfe... |
CDO_9160a00d (2026-04-09) | GitHub PAT | Push protection blocked vault→GitHub backup on this exact file:line | Pending rotation |
| P1 | gVMZWTqB... (x3, pos 583/113/1359) |
Code.Assistant_466c41ea (2026-03-16) | Salesforce OAuth Consumer Key | Confirmed by Eva's iOS recovery dispatch — triggered push protection v2 scrub pass | Pending rotation |
| P2 | Bearer e... (x2, same value) |
project.manager_892a27d5 (Apr 19 + Apr 20) | JWT Bearer token | Bearer e = likely Bearer ey... (JWT format). Appears on two consecutive dates = same token, still in use |
Pending — need service ID |
| P2 | token ey... |
General-Documents-Claude_b3653746 (2026-03-13) | JWT token | ey prefix = base64-encoded {" = JWT header — real token format |
Pending — need service ID |
| P2 | bHUZWqkx... (x2, pos 1527/1563) |
project.manager_6820ae4c (2026-04-16) | Unknown API credential | Base64 mixed-case string, appears twice in same file at adjacent positions = same value copied, not noise | Pending — need service ID |
| P2 | djJpdbxU... (x2) |
Legal.Research_a96f26e9 (Mar 17) + Personal.Admin_a41d7528 (Mar 18) | Unknown credential | Same base64 value appearing in two different session files one day apart — cross-session reuse suggests a real shared credential | Pending — need service ID |
| P3 | apikey=Y... |
Financial.Research_37c42803 (2026-03-23) | Unknown API key | Explicit apikey= parameter format — not incidental. Morgan specifically flagged. |
Pending — need service ID |
| P3 | token=PA... |
Code.Assistant_08379b83 (2026-03-25) | Likely GitHub PAT (old format) | token=PA could be a GitHub PAT — old-style PATs used ghp_ or PA prefix forms |
Pending — need service ID |
Uncertain (need manual file inspection before deciding):
| Snippet | Source file | Why uncertain | Action |
|---|---|---|---|
p6Wy/tbl... |
CMO_ff92fad7 (2026-03-28) | "tbl" is an Airtable table ID prefix — could be an Airtable PAT or an Airtable URL with a table ID embedded. Needs file read to determine context. | Read file at pos 1859 |
token=P8... |
Personal.Admin_a41d7528 (2026-03-18) | Unknown service. P8 doesn't match known token format prefixes. Personal admin sessions could contain anything. |
Read file at pos 781 |
1C — Not in This Log (require comprehensive audit source)¶
Morgan's travel-window manual audit identified these credential classes that do NOT appear in the current 59-entry daily scrub log. They likely exist in pre-scrub original files or older export batches.
| Credential type | Count (per Morgan/Eva) | Status |
|---|---|---|
AWS Access Key IDs (AKIA* prefix) |
2 instances | ⚠ Not visible — need Morgan to share source files or comprehensive audit log |
| Airtable PATs | 6 instances across 2 files | ⚠ Only 1 possible Airtable entry in current log (p6Wy/tbl...) — 5+ missing |
Action required: Morgan to provide the comprehensive scrub audit from the travel window (the one with 68+41+4 redactions) so the AWS and Airtable entries can be triaged and rotation targets confirmed.
Section 2 — Rotation Sequence (to complete after triage)¶
For each confirmed real credential: 1. Generate new credential in source service 2. Update all consumers (launchd agents, scripts, API configs, 1Password vault entry) 3. Verify consumers work with new credential 4. Revoke old credential in source service 5. Log rotation date and new 1Password entry name in this file
1Password vault target: All rotated credentials land in the Production vault with standard naming: {Service}-{Purpose}-{YYYY-MM} (e.g., AWS-CDK-Deploy-2026-04).
Section 3 — Known Security Gaps (non-credential)¶
These are documented gaps that are not credential rotation items but belong in the same security posture picture.
GAP-001 — Public repo creation restriction unavailable on GitHub Free¶
Severity: SEV3 — documented, low risk at current org size
Description: GitHub Free for organizations does not allow unchecking "Public" under Member Privileges → Repository creation. Restricting members to private-only repo creation requires GitHub Team ($4/user/month). On the free plan, Public is the only selectable option and cannot be removed.
Current risk: Low. Rick is the sole org member. Outside collaborators can never create repos regardless of plan. No one can accidentally create a public repo except Rick.
Controls already in place: Branch protection rulesets on all active repos, secret scanning + push protection enabled org-wide, org consolidated to single eco-monetize org, 2FA enforcement enabled.
Upgrade trigger: GitHub Team when the first non-owner org member joins. At that point:
- Uncheck "Public" under Member Privileges → Repository creation
- Enable "Restrict members from changing repository visibility"
- Both settings at github.com/organizations/eco-monetize/settings/member_privileges
Owner: security.ops | Identified: 2026-04-21 | Review at: first team member hire
GAP-002 — 2FA enforcement confirmed complete¶
Severity: N/A — closed
Rick enabled org-wide 2FA requirement 2026-04-21. Any member without 2FA would be removed from the org until enabled.
Section 4 — 1Password Service Account Recommendation (pending)¶
Michelle (CMO) has requested a security risk assessment on using a 1Password Service Account (OP_SERVICE_ACCOUNT_TOKEN) for headless agent automation — eliminating the per-device, per-physical-session op signin requirement that causes credential-access outages during travel windows.
Assessment status: Pending — see /Claude/sessions/security.ops/michelle-task-1password-service-account-recommendation-2026-04-20.md
Output path: /Claude/sessions/cmo/security-ops-response-1password-service-account-YYYY-MM-DD.md