# Build Plan — client/lumiscare CRITICAL Security

# Build Plan: client/lumiscare — CRITICAL Security Remediation

**Gap Analysis Reference:** gap-analysis/client.md  
**Priority:** CRITICAL  
**Blueprint Sections:** 6.2 (Zero-Secrets-In-Repos), 3.7 (Secrets Scanning)  
**Date:** 2026-04-29 | Planner: Petter Graff (MC #10043)

## OBJECTIVE

Remove RSA private keys (MyPrivate.key, CAPrivate.key) from git history in lumiscare repo (github.com/johnatbasicas/vivacare), implement gitleaks to prevent recurrence, and establish proper SSL certificate management procedure. Target state: zero private keys in git history, all certificates managed via Vaultwarden or infrastructure secrets manager.

## WORK BREAKDOWN

### Step 1 — CEO Decision: Revoke or Confirm Keys (BLOCKING)

**Action:** CEO determines if MyPrivate.key and CAPrivate.key protect any live endpoint.  
**Who:** CEO Alem Basic — cannot be delegated  
**Effort:** S (30 min)  
**Acceptance:** CEO written decision in MC task comment

### Step 2 — Remove Keys from Git History

**Who:** Codecraft (FlowForge/kelsey-hightower.md for git operations)  
**Effort:** M (2 hours including testing)  
**Acceptance:** git log returns no results for key files; GitHub repo confirms no key files in any branch or tag

### Step 3 — Add .key and .pem to .gitignore

**Who:** Codecraft  
**Effort:** S (15 min)

### Step 4 — Install gitleaks Pre-Commit Hook

**Who:** Securion (parisa-tabriz.md)  
**Effort:** S (1 hour)

### Step 5 — Add CI Secret Scanning

**Who:** Securion  
**Effort:** M (1.5 hours)

**TOTAL EFFORT:** 4-5 hours (after CEO decision)  
**VALIDATION:** Proveo verifies no secrets in git history + pre-commit hook functional

**File location:** /Users/makinja/system/specs/build-plans/client-lumiscare-CRITICAL.md  
**MC Task:** #10043  
**Tags:** system-reform-2026-04, MC-10043, petter-graff, build-plan, CRITICAL