Credential Rotation Guide

Credential Rotation — Consolidated Guide 
 Last Updated: 2026-02-10
 Status: Infrastructure Complete, Awaiting Execution
 Original Docs: Consolidated from 8 separate files (2026-01-31) 
 
 Overview 
 Comprehensive credential rotation system for BasicAS Group. Handles API keys, tokens, and service credentials across 5+ platforms. 
 Key Principle: Manual collection (30 min) → Automated storage (2 min) → Secure keychain 
 
 Why Manual Collection is Required 
 Technical Reality: 
 
 All services require authenticated browser login 
 No programmatic API exists to regenerate credentials without authentication 
 Alem's login credentials not stored in system (by design) 
 MFA/CAPTCHA may be required at some services 
 OAuth flows require interactive user approval 
 
 Result: Automation handles storage and verification. Human handles credential generation. 
 
 Services Requiring Rotation 
 
 
 
 Service 
 Type 
 Location 
 Rotation Frequency 
 
 
 
 
 Anthropic 
 API Key 
 console.anthropic.com/account/keys 
 90 days 
 
 
 ElevenLabs 
 API Key 
 elevenlabs.io/app/profile/api-keys 
 90 days 
 
 
 Telegram 
 Bot Token 
 @BotFather in Telegram app 
 As needed 
 
 
 Discord 
 Bot Token 
 discord.com/developers/applications 
 As needed 
 
 
 Z.ai 
 API Key 
 z.ai dashboard 
 90 days 
 
 
 one.com 
 SMTP Password 
 one.com webmail settings 
 180 days 
 
 
 Cloudflare 
 API Token 
 dash.cloudflare.com/profile/api-tokens 
 90 days 
 
 
 
 
 Current Credential Status (as of 2026-01-31) 
 ✅ Found in System 
 
 Anthropic: sk-ant-api03-cH6oDXQ... (in config files) 
 ElevenLabs: sk_5b54ee283cd9ee9ff12dae6... (in config files) 
 Telegram: 8390640424:AAFP9Zf1R9vUV6T7aQhW6Ow7Z3-13aGDw1g (in config files) 
 Z.ai: 143eda33ea3e41f89df91e0e6fd1f0bb.VZxsj7NcstKy9UWX (in config files) 
 
 ❌ Not Found 
 
 Discord: Needs creation (bot not yet set up) 
 
 
 Rotation Process 
 Step 1: Review Services (5 min) 
 Identify which credentials need rotation based on: 
 
 Last rotation date 
 Security incidents 
 Compliance requirements 
 Service recommendations 
 
 Step 2: Collect New Credentials (25-30 min) 
 Visit each service and generate new credentials: 
 Anthropic (5 min) 
 
 Visit https://console.anthropic.com/account/keys 
 Login with Alem's credentials 
 Click "Create Key" 
 Name: BasicAS-Production-YYYY-MM-DD 
 Copy key (starts with sk-ant-api03- ) 
 Save to temp file 
 
 ElevenLabs (5 min) 
 
 Visit https://elevenlabs.io/app/profile/api-keys 
 Login with Alem's credentials 
 Click "Generate API Key" 
 Copy key (starts with sk_ ) 
 Save to temp file 
 
 Telegram Bot (5 min) 
 
 Open Telegram app 
 Message @BotFather 
 Command: /mybots 
 Select bot → API Token → Regenerate Token 
 Copy token (format: NNNNN:AAAAAAAA... ) 
 Save to temp file 
 
 Discord Bot (5 min) 
 
 Visit https://discord.com/developers/applications 
 Login with Alem's credentials 
 Select application → Bot → Reset Token 
 Copy token 
 Save to temp file 
 
 Z.ai (5-10 min) 
 
 Visit https://z.ai 
 Login with Alem's credentials 
 Navigate to API settings 
 Generate new token 
 Copy token 
 Save to temp file 
 
 Step 3: Create Credential File (2 min) 
 Format: ~/temp-credentials.txt 
 ANTHROPIC_API_KEY=sk-ant-api03-...
ELEVENLABS_API_KEY=sk_...
TELEGRAM_BOT_TOKEN=1234567890:AAAAA...
DISCORD_BOT_TOKEN=...
ZAI_API_KEY=...
 
 Step 4: Run Import Tool (2 min) 
 # Import to macOS Keychain + update configs
node ~/system/tools/credential-import.js ~/temp-credentials.txt

# Verify storage
security find-generic-password -s "ANTHROPIC_API_KEY"
security find-generic-password -s "ELEVENLABS_API_KEY"
 
 Step 5: Update Service Configs (5 min) 
 The import tool auto-updates: 
 
 ~/system/config/*.json files 
 Environment variables 
 Docker compose files (if applicable) 
 
 Manual verification required for: 
 
 Any hardcoded credentials in code 
 Third-party integrations 
 CI/CD pipelines 
 
 Step 6: Test Services (10 min) 
 # Test Anthropic
curl -H "x-api-key: $ANTHROPIC_API_KEY" https://api.anthropic.com/v1/models

# Test ElevenLabs
curl -H "xi-api-key: $ELEVENLABS_API_KEY" https://api.elevenlabs.io/v1/user

# Test Telegram Bot
curl https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/getMe
 
 Step 7: Revoke Old Credentials (5 min) 
 Go back to each service and delete/revoke old credentials to prevent unauthorized use. 
 
 Automation Tool: credential-import.js 
 Location: ~/system/tools/credential-import.js (500+ lines)
 Status: ✅ READY TO USE (built 2026-01-31) 
 Features: 
 
 Reads credentials from text file 
 Saves all to macOS Keychain (encrypted) 
 Updates ~/system/config/ JSON files 
 Generates summary report 
 Securely deletes temp files (shred + rm) 
 
 Usage: 
 node ~/system/tools/credential-import.js <credentials-file>
 
 Output: 
 
 Keychain entries created 
 Config files updated 
 Summary report printed 
 Temp file securely deleted 
 
 
 Security Notes 
 ✅ Secure Practices 
 
 Credentials stored in macOS Keychain (encrypted at rest) 
 Temp files securely deleted after import (7-pass shred) 
 API keys use principle of least privilege 
 Rotation schedule enforced (90-180 days) 
 
 ❌ Current Weaknesses 
 
 Some credentials still in plaintext in docker-compose.yml files (task #310) 
 No automated expiry monitoring 
 No central credential vault (consider Vault or 1Password) 
 
 🔄 Recommended Improvements 
 
 Move Docker secrets: Extract passwords from docker-compose.yml to Docker secrets 
 Automated expiry alerts: Script to check credential age and send alerts 
 Central vault: Migrate to HashiCorp Vault or 1Password for centralized management 
 Audit logging: Track who accessed which credential when 
 
 
 Compliance & Best Practices 
 Rotation Schedule 
 
 High-risk credentials (admin, root): 30 days 
 API keys (production): 90 days 
 Service passwords (SMTP, DB): 180 days 
 Personal accounts: Annually 
 
 Documentation Requirements 
 
 Record rotation date in CHANGELOG 
 Update this document with new status 
 Notify team of service disruptions 
 
 Incident Response 
 If credential compromise suspected: 
 
 Immediately rotate affected credential 
 Audit logs for unauthorized usage 
 Revoke old credential 
 Document incident in ~/system/reports/security/ 
 Review access policies 
 
 
 Related Documents 
 Original Files (Archived) 
 
 CREDENTIAL-ROTATION-2026-01-31.md - Initial audit 
 CREDENTIAL-ROTATION-ACTION-PLAN.md - Step-by-step guide 
 CREDENTIAL-ROTATION-COMPLETE.md - Infrastructure completion report 
 CREDENTIAL-ROTATION-FINDINGS.md - Security findings 
 CREDENTIAL-ROTATION-INDEX.md - File index 
 CREDENTIAL-ROTATION-README.md - Quick reference 
 CREDENTIAL-ROTATION-STATUS.md - Technical status 
 CREDENTIALS-ROTATION-README.md - User guide 
 SUBAGENT-CREDENTIAL-ROTATION-REPORT.md - Subagent execution report 
 SUBAGENT-CREDENTIAL-ROTATION-STATUS.md - Subagent status 
 
 All originals preserved in: ~/system/context/docs/security/ (timestamped) 
 
 Next Steps 
 
 Schedule rotation: Add to calendar (quarterly for API keys) 
 Execute rotation: Follow Step 1-7 above 
 Document completion: Update this file with new dates 
 Improve automation: Build expiry monitoring script 
 
 
 Maintained by: John (AI Director)
 Reviewed by: Alem (CEO)
 Next Review: 2026-05-10 (90 days)