Build Plan — client/lumiscare CRITICAL Security

Build Plan: client/lumiscare — CRITICAL Security Remediation

Gap Analysis Reference: gap-analysis/client.md
Priority: CRITICAL
Blueprint Sections: 6.2 (Zero-Secrets-In-Repos), 3.7 (Secrets Scanning)
Date: 2026-04-29 | Planner: Petter Graff (MC #10043)

OBJECTIVE

Remove RSA private keys (MyPrivate.key, CAPrivate.key) from git history in lumiscare repo (github.com/johnatbasicas/vivacare), implement gitleaks to prevent recurrence, and establish proper SSL certificate management procedure. Target state: zero private keys in git history, all certificates managed via Vaultwarden or infrastructure secrets manager.

WORK BREAKDOWN

Step 1 — CEO Decision: Revoke or Confirm Keys (BLOCKING)

Action: CEO determines if MyPrivate.key and CAPrivate.key protect any live endpoint.
Who: CEO Alem Basic — cannot be delegated
Effort: S (30 min)
Acceptance: CEO written decision in MC task comment

Step 2 — Remove Keys from Git History

Who: Codecraft (FlowForge/kelsey-hightower.md for git operations)
Effort: M (2 hours including testing)
Acceptance: git log returns no results for key files; GitHub repo confirms no key files in any branch or tag

Step 3 — Add .key and .pem to .gitignore

Who: Codecraft
Effort: S (15 min)

Step 4 — Install gitleaks Pre-Commit Hook

Who: Securion (parisa-tabriz.md)
Effort: S (1 hour)

Step 5 — Add CI Secret Scanning

Who: Securion
Effort: M (1.5 hours)

TOTAL EFFORT: 4-5 hours (after CEO decision)
VALIDATION: Proveo verifies no secrets in git history + pre-commit hook functional

File location: /Users/makinja/system/specs/build-plans/client-lumiscare-CRITICAL.md
MC Task: #10043
Tags: system-reform-2026-04, MC-10043, petter-graff, build-plan, CRITICAL