51 lines
3.5 KiB
Markdown
51 lines
3.5 KiB
Markdown
# Credential Audit — July 8, 2026
|
|
|
|
Full audit of every credential stored across the infrastructure. Results:
|
|
|
|
| Credential | Location | Status |
|
|
|-----------|----------|--------|
|
|
| FIRECRAWL_API_KEY | ~/.hermes/.env | ✅ |
|
|
| CLOUDFLARE_API_TOKEN | ~/.hermes/.env | ✅ |
|
|
| admin-ai API key | config.yaml | ✅ |
|
|
| MYSQL_PASS (Apex DB) | config.yaml | ✅ |
|
|
| PG_DATABASE_PASSWORD (TwentyCRM) | twenty/.env | ✅ |
|
|
| ENCRYPTION_KEY (TwentyCRM) | twenty/.env | ✅ |
|
|
| g@germainebrown.com (IMAP) | himalaya/*.pass | ✅ |
|
|
| shonuff@germainebrown.com (IMAP) | himalaya/*.pass | ✅ |
|
|
| iCloud CalDAV | himalaya/*.pass + config | ✅ Repaired |
|
|
| DRE dre@ (IMAP) | script inline | ✅ |
|
|
| DRE collections@ (IMAP) | script inline | ✅ |
|
|
|
|
## Bug Found and Fixed: `***` baked into health check script
|
|
|
|
`service-health-check.sh` had `Authorization: Bearer ***` hardcoded instead of using the `$CLOUD_TOKEN` variable. Hermes secret redactor replaced the actual token with `***` when the script was first written, and that literal string stayed in the file. Every cron run sent `Authorization: Bearer ***` → Cloudflare returned a 401.
|
|
|
|
**Fix:** Changed to `Authorization: Bearer $CLOUD_TOKEN` and added `${CLOUDFLARE_API_TOKEN:-$(grep ...)}` pattern so both the session env and .env file resolve the credential.
|
|
|
|
**Lesson:** Scripts that reference `***` in their code were written with the real value at some point, but Hermes redacted it at write time. Always test scripts immediately after creation, especially if they claim to have saved a credential.
|
|
|
|
Also: CLOUDFLARE_API_TOKEN was only in the session environment, not in `.env`. Cron runs in a clean shell — it couldn't find the token. Added to `.env`.
|
|
|
|
## iCloud CalDAV Password Repair
|
|
|
|
The CalDAV password for iCloud calendar (`g-germainebrown-icloud-calendar.pass`) was stale. Apple revokes old app-specific passwords when generating new ones.
|
|
|
|
**Fix:** Generated new password at appleid.apple.com → App-Specific Passwords → saved to `.pass` file, added CalDAV account config to `~/.config/himalaya/config.toml`, verified via PROPFIND against `https://caldav.icloud.com/` (HTTP 207 = Multi-Status = success).
|
|
|
|
## Complete Credential Map
|
|
|
|
All credentials and credential locations for this infrastructure:
|
|
|
|
| Service | Account | Credential Location | Type | Notes |
|
|
|---------|---------|-------------------|------|-------|
|
|
| Cloudflare | API Token | ~/.hermes/.env (CLOUDFLARE_API_TOKEN) | Bearer token | Zone:DNS:Edit + Registrar:Admin |
|
|
| Firecrawl | API Key | ~/.hermes/.env (FIRECRAWL_API_KEY) | Bearer token | fc- prefix |
|
|
| admin-ai | LLM Provider | ~/.hermes/config.yaml (providers.admin-ai.api_key) | Bearer token | sk- prefix, NOT in .env |
|
|
| germainebrown.com | g@germainebrown.com | ~/.config/himalaya/g-germainebrown.pass | IMAP password | Mail delivered via MXroute |
|
|
| germainebrown.com | shonuff@germainebrown.com | ~/.config/himalaya/shonuff.pass | IMAP password | BCC'd on all sends |
|
|
| iCloud | g@germainebrown.com (CalDAV) | ~/.config/himalaya/g-germainebrown-icloud-calendar.pass | App-specific password | Calendar sync, NOT IMAP |
|
|
| TwentyCRM | PostgreSQL | /root/docker/twenty/.env (PG_DATABASE_PASSWORD) | DB password | Docker compose .env file |
|
|
| TwentyCRM | Encryption key | /root/docker/twenty/.env (ENCRYPTION_KEY) | AES key | For data encryption at rest |
|
|
| Apex DB | MySQL | ~/.hermes/config.yaml (mcp_servers.mysql.env.MYSQL_PASS) | DB password | Tunnel via wphost02 |
|
|
| DRE | dre@/collections@ | Inline in scripts + .env (DRE_EMAIL_PW) | IMAP password | Both use same password |
|