# Secret Rotation Checklist (Production)

Target: `my.votcloud.com`  
Host: `102.69.243.167`

## Scope

Rotate the following regularly (monthly/quarterly or after any incident):

1. `JWT_SECRET`
2. `JWT_REFRESH_SECRET`
3. `POSTGRES_PASSWORD`
4. `ADMIN_PASSWORD`

Recommended:

1. `BACKUP_ENCRYPTION_KEY` (with controlled key migration plan)
2. Proxmox API token secret
3. Payment/webhook secrets

Enterprise hardening:

1. Keep one grace window for webhook secret rotation (`*_previous`) to avoid dropped payment events during provider cutover.
2. Validate new Proxmox token directly against `/api2/json/version` before applying it in panel settings.

## Runbook (Safe Order)

1. Create timestamped app/env/db backup.
2. Rotate env secrets in `.env.production`.
3. Apply DB password rotation (`ALTER USER ... WITH PASSWORD ...`).
4. Restart app stack with new env.
5. Re-seed admin (`npm run prisma:seed`) to sync rotated admin password.
6. Revoke all active sessions (`AuthSession`) to invalidate old sessions.
7. Verify:
   - `GET /api/health`
   - Admin login
   - Core pages (`/rbac`, `/profile`, `/system`, `/audit-logs`)
8. Save secure summary with new admin credentials under `/root/`.

## Automation Script

Use:

```bash
sudo bash /opt/proxpanel/infra/deploy/rotate-production-secrets.sh
```

Script guarantees:

1. Backup directory created in `/opt/proxpanel-backups/<timestamp>-secret-rotation/`
2. DB pre-rotation dump created
3. Post-rotation health + login verified
4. Summary written to `/root/proxpanel-secret-rotation-<timestamp>.txt`

For integration secrets (Proxmox + payment/webhook + alerting endpoints), use:

```bash
sudo bash /opt/proxpanel/infra/deploy/rotate-integration-secrets.sh \
  --proxmox-token-secret 'new_token_secret' \
  --paystack-secret 'new_paystack_secret' \
  --flutterwave-webhook-hash 'new_hash'
```

After external provider cutover is confirmed, clear grace secrets:

```bash
sudo bash /opt/proxpanel/infra/deploy/rotate-integration-secrets.sh \
  --finalize-payment-webhook-grace
```

## Rollback Plan

If post-rotation checks fail:

1. Restore `.env.production` from backup.
2. Restore previous app files if needed.
3. Restore DB dump if schema/state corruption occurred.
4. Recreate containers:
   - `docker compose --env-file .env.production -f infra/deploy/docker-compose.production.yml up -d --build`

## Audit Trail

Store:

1. Rotation timestamp
2. Operator identity
3. Backup directory used
4. Health verification evidence
5. Any rollback events