Files

3.5 KiB

Credential Audit — July 8, 2026

Full audit of every credential stored across the infrastructure. Results:

Credential Location Status
FIRECRAWL_API_KEY ~/.hermes/.env
CLOUDFLARE_API_TOKEN ~/.hermes/.env
admin-ai API key config.yaml
MYSQL_PASS (Apex DB) config.yaml
PG_DATABASE_PASSWORD (TwentyCRM) twenty/.env
ENCRYPTION_KEY (TwentyCRM) twenty/.env
g@germainebrown.com (IMAP) himalaya/*.pass
shonuff@germainebrown.com (IMAP) himalaya/*.pass
iCloud CalDAV himalaya/*.pass + config Repaired
DRE dre@ (IMAP) script inline
DRE collections@ (IMAP) script inline

Bug Found and Fixed: *** baked into health check script

service-health-check.sh had Authorization: Bearer *** hardcoded instead of using the $CLOUD_TOKEN variable. Hermes secret redactor replaced the actual token with *** when the script was first written, and that literal string stayed in the file. Every cron run sent Authorization: Bearer *** → Cloudflare returned a 401.

Fix: Changed to Authorization: Bearer $CLOUD_TOKEN and added ${CLOUDFLARE_API_TOKEN:-$(grep ...)} pattern so both the session env and .env file resolve the credential.

Lesson: Scripts that reference *** in their code were written with the real value at some point, but Hermes redacted it at write time. Always test scripts immediately after creation, especially if they claim to have saved a credential.

Also: CLOUDFLARE_API_TOKEN was only in the session environment, not in .env. Cron runs in a clean shell — it couldn't find the token. Added to .env.

iCloud CalDAV Password Repair

The CalDAV password for iCloud calendar (g-germainebrown-icloud-calendar.pass) was stale. Apple revokes old app-specific passwords when generating new ones.

Fix: Generated new password at appleid.apple.com → App-Specific Passwords → saved to .pass file, added CalDAV account config to ~/.config/himalaya/config.toml, verified via PROPFIND against https://caldav.icloud.com/ (HTTP 207 = Multi-Status = success).

Complete Credential Map

All credentials and credential locations for this infrastructure:

Service Account Credential Location Type Notes
Cloudflare API Token ~/.hermes/.env (CLOUDFLARE_API_TOKEN) Bearer token Zone:DNS:Edit + Registrar:Admin
Firecrawl API Key ~/.hermes/.env (FIRECRAWL_API_KEY) Bearer token fc- prefix
admin-ai LLM Provider ~/.hermes/config.yaml (providers.admin-ai.api_key) Bearer token sk- prefix, NOT in .env
germainebrown.com g@germainebrown.com ~/.config/himalaya/g-germainebrown.pass IMAP password Mail delivered via MXroute
germainebrown.com shonuff@germainebrown.com ~/.config/himalaya/shonuff.pass IMAP password BCC'd on all sends
iCloud g@germainebrown.com (CalDAV) ~/.config/himalaya/g-germainebrown-icloud-calendar.pass App-specific password Calendar sync, NOT IMAP
TwentyCRM PostgreSQL /root/docker/twenty/.env (PG_DATABASE_PASSWORD) DB password Docker compose .env file
TwentyCRM Encryption key /root/docker/twenty/.env (ENCRYPTION_KEY) AES key For data encryption at rest
Apex DB MySQL ~/.hermes/config.yaml (mcp_servers.mysql.env.MYSQL_PASS) DB password Tunnel via wphost02
DRE dre@/collections@ Inline in scripts + .env (DRE_EMAIL_PW) IMAP password Both use same password