security(phase1a): Phoenix Vault rotation runbook + consumer-prep scaffolding #5

Open

nsatoshi wants to merge 1 commits from devin/phase1a-vault-consumer-prep-1776543363 into master

Author	SHA1	Message	Date
Devin AI	57c717ad7e	security(phase1a): Phoenix Vault rotation runbook + consumer-prep scaffolding Some checks failed AI Code Review / claude-review (pull_request) Failing after 48s Details Part of the sequenced cleanup tracked in issue #1. Scaffolding only — no rotation executed, no secret values committed. - docs/runbooks/PHOENIX_VAULT_ROTATION_RUNBOOK.md: authoritative Phoenix Vault rotation procedure (9-step: new root → rekey unseal → regenerate AppRoles → flip consumers → revoke old). Verification table + rollback path + Phase 2 handoff notes. - docs/04-configuration/VAULT_SHARD_CUSTODY_POLICY.md: decision record for the next rotation. Three options documented (named-operator / cloud-KMS auto-unseal / Transit auto-unseal); selection pending operator sign-off before rotation executes. - scripts/verify/enumerate-vault-consumers.sh: read-only grep over the tree for VAULT_ROLE_ID / VAULT_SECRET_ID / auth/approle/login references; flags which top-level consumers need a coordinated .env update at §1.6 of the runbook. - scripts/verify/verify-vault-approle-auth.sh: post-rotation sanity check — posts AppRole login + token lookup-self; returns PASS/FAIL without echoing the Role ID, Secret ID, or client token. - phoenix-deploy-api/.env.example: added VAULT_ADDR / VAULT_ROLE_ID / VAULT_SECRET_ID placeholder block with a pointer to the runbook. No values committed. - mission-control/.env.example: NEW file (previously had none); documents the launchpad NEXT_PUBLIC_* vars and the same Vault AppRole placeholder block. Server-side only — never NEXT_PUBLIC_*. Rotation execution stays with Phoenix ops; this commit only stages the runbook + env scaffolding so the eventual rotation does not require inventing infrastructure mid-incident. Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>	2026-04-18 20:19:06 +00:00

Author

SHA1

Message

Date

Devin AI

57c717ad7e

security(phase1a): Phoenix Vault rotation runbook + consumer-prep scaffolding

AI Code Review / claude-review (pull_request) Failing after 48s

Details

Part of the sequenced cleanup tracked in issue #1.

Scaffolding only — no rotation executed, no secret values committed.

- docs/runbooks/PHOENIX_VAULT_ROTATION_RUNBOOK.md: authoritative
  Phoenix Vault rotation procedure (9-step: new root → rekey unseal
  → regenerate AppRoles → flip consumers → revoke old). Verification
  table + rollback path + Phase 2 handoff notes.
- docs/04-configuration/VAULT_SHARD_CUSTODY_POLICY.md: decision
  record for the next rotation. Three options documented
  (named-operator / cloud-KMS auto-unseal / Transit auto-unseal);
  selection pending operator sign-off before rotation executes.
- scripts/verify/enumerate-vault-consumers.sh: read-only grep over
  the tree for VAULT_ROLE_ID / VAULT_SECRET_ID / auth/approle/login
  references; flags which top-level consumers need a coordinated
  .env update at §1.6 of the runbook.
- scripts/verify/verify-vault-approle-auth.sh: post-rotation sanity
  check — posts AppRole login + token lookup-self; returns PASS/FAIL
  without echoing the Role ID, Secret ID, or client token.
- phoenix-deploy-api/.env.example: added VAULT_ADDR / VAULT_ROLE_ID
  / VAULT_SECRET_ID placeholder block with a pointer to the runbook.
  No values committed.
- mission-control/.env.example: NEW file (previously had none);
  documents the launchpad NEXT_PUBLIC_* vars and the same
  Vault AppRole placeholder block. Server-side only — never
  NEXT_PUBLIC_*.

Rotation execution stays with Phoenix ops; this commit only stages
the runbook + env scaffolding so the eventual rotation does not
require inventing infrastructure mid-incident.

Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>

2026-04-18 20:19:06 +00:00

security(phase1a): Phoenix Vault rotation runbook + consumer-prep scaffolding #5

1 Commits