# Credential Audit Pattern Systematic verification of all credentials across a server's config files. ## Step 1 — Discover credential locations ```bash # Find .env files find /root/docker -name ".env" -o -name ".env.example" # Find password/cred files find /root/.config -type f \( -name "*.pass" -o -name "*.token" -o -name "*.cred" \) # Find embedded keys in config.yaml grep -rn "api_key\|password\|secret\|token" /root/.hermes/config.yaml | grep -v "^#" ``` ## Step 2 — Categorize by type | Type | Test Method | |------|------------| | Cloudflare API key | `GET /client/v4/user/tokens/verify` → 200 | | Firecrawl API key | `POST /api/v1/search` → 200 | | LLM provider key | `curl` to `/v1/models` → 200 | | IMAP password | `imaplib.IMAP4_SSL.login()` → OK | | SMTP password | `smtplib.SMTP.login()` → OK | | Database password | `SELECT 1` via native client | | Docker service password | `psql -U user -c "SELECT 1"` via docker exec | | CalDAV password | `PROPFIND` to caldav host → 207 | ## Step 3 — Test each credential Each test should return a clear SUCCESS/FAILURE indicator. Batch independent tests into a single terminal call. ## Step 4 — Report results | Credential | Location | Status | |-----------|----------|--------| | FIRECRAWL_API_KEY | ~/.hermes/.env | ✅ HTTP 200 | | admin-ai api_key | config.yaml | ✅ HTTP 200 | | g@germainebrown.com (IMAP) | himalaya/*.pass | ✅ LOGIN OK | ## Pitfalls - **Secrets redacted by the agent's redactor** — `read_file` and `grep` show secrets as `sk-lbh...bWPA`. Use `od -c` or `sed -n '8p' /root/.hermes/config.yaml | xxd` to recover actual values. - **iCloud app-specific passwords expire** — Apple requires new app-specific passwords periodically. Generate at appleid.apple.com → App-Specific Passwords. - **CalDAV passwords are NOT the same as IMAP passwords** — iCloud requires separate passwords for each service, and the CalDAV password file is different from the IMAP password file. - **Service environment vars may not be in .env** — Some services pass secrets via docker-compose `environment:` blocks or systemd `Environment=` lines. Check both docker-compose.yml and service unit files. - **"`Bearer ***` bug"** — Shell scripts that hardcode `***` instead of `$VARIABLE_NAME` in curl `Authorization` headers. Always verify the variable is used, not literal asterisks.