Build Plan — client/lumiscare CRITICAL Security

Build Plan: client/lumiscare — CRITICAL Security Remediation Gap Analysis Reference: gap-analysis/client.md Priority: CRITICAL Blueprint Sections: 6.2 (Zero-Secrets-In-Repos), 3.7 (Secrets Scanning) Date: 2026-04-29 | Planner: Petter Graff (MC #10043) OBJECTIVE Remove RSA private keys (MyPrivate.key, CAPrivate.key) from git history in lumiscare repo (github.com/johnatbasicas/vivacare), implement gitleaks to prevent recurrence, and establish proper SSL certificate management procedure. Target state: zero private keys in git history, all certificates managed via Vaultwarden or infrastructure secrets manager. WORK BREAKDOWN Step 1 — CEO Decision: Revoke or Confirm Keys (BLOCKING) Action: CEO determines if MyPrivate.key and CAPrivate.key protect any live endpoint. Who: CEO Alem Basic — cannot be delegated Effort: S (30 min) Acceptance: CEO written decision in MC task comment Step 2 — Remove Keys from Git History Who: Codecraft (FlowForge/kelsey-hightower.md for git operations) Effort: M (2 hours including testing) Acceptance: git log returns no results for key files; GitHub repo confirms no key files in any branch or tag Step 3 — Add .key and .pem to .gitignore Who: Codecraft Effort: S (15 min) Step 4 — Install gitleaks Pre-Commit Hook Who: Securion (parisa-tabriz.md) Effort: S (1 hour) Step 5 — Add CI Secret Scanning Who: Securion Effort: M (1.5 hours) TOTAL EFFORT: 4-5 hours (after CEO decision) VALIDATION: Proveo verifies no secrets in git history + pre-commit hook functional File location: /Users/makinja/system/specs/build-plans/client-lumiscare-CRITICAL.md MC Task: #10043 Tags: system-reform-2026-04, MC-10043, petter-graff, build-plan, CRITICAL