Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
203591ca0582c2a680d4e862b66d8e58db9fa3e2
Kordant/tasks/web-production/16-env-secrets.md
Michael Freno 5214412fff get to prod tasks
2026-05-26 16:06:34 -04:00

2.7 KiB
Raw Blame History

16. Environment Management & Secrets Rotation

meta: id: web-production-16 feature: web-production priority: P1 depends_on: [] tags: [security, infrastructure, production]

objective:

  • Implement secure environment variable management and automated secrets rotation

deliverables:

  • Environment variable validation on startup
  • Secrets manager integration (AWS Secrets Manager, Doppler, or 1Password)
  • Automated secrets rotation
  • Environment documentation

steps:

  1. Create environment validation:
    • Create web/src/server/lib/env.ts with Zod/Valibot schema
    • Validate all required env vars on server startup
    • Fail fast with clear error messages for missing vars
    • Type-safe env access throughout codebase
  2. Migrate to secrets manager:
    • Set up Doppler or AWS Secrets Manager
    • Move DATABASE_URL, JWT_SECRET, STRIPE_SECRET_KEY, CLERK_SECRET_KEY to secrets manager
    • Remove secrets from .env files in production
    • Use short-lived tokens where possible
  3. Implement secrets rotation:
    • JWT secret: rotate quarterly
    • Database credentials: rotate monthly
    • Stripe keys: rotate after any suspected leak
    • API keys: rotate every 6 months
    • Automated rotation scripts
  4. Add environment documentation:
    • Document all environment variables in docs/ENVIRONMENT.md
    • Mark required vs optional
    • Include examples and validation rules
    • Document secrets rotation schedule
  5. Secure local development:
    • .env.example with dummy values
    • .env.local in .gitignore
    • Pre-commit hook to prevent secret commits
    • Use 1Password CLI or Doppler CLI for local secrets
  6. Audit existing secrets:
    • Scan git history for leaked secrets (git-secrets, truffleHog)
    • Rotate any potentially leaked secrets
    • Enable GitHub secret scanning

tests:

  • Unit: Test env validation catches missing vars
  • Security: Verify no secrets in codebase with scanner
  • Integration: Test secrets manager integration

acceptance_criteria:

  • Server fails to start with clear error if required env var missing
  • Zero secrets in codebase or git history
  • All production secrets stored in secrets manager
  • Rotation schedule documented and automated
  • Environment documentation complete and accurate
  • GitHub secret scanning enabled
  • Pre-commit hooks preventing secret commits

validation:

  • Remove DATABASE_URL → server exits with clear error
  • Run truffleHog → no secrets found in history
  • Check secrets manager → all production secrets stored
  • Run rotation script → new JWT secret generated, app continues working

notes:

  • Doppler is excellent for team secret management
  • AWS Secrets Manager integrates well with ECS/Fargate
  • Never commit .env files — use .env.example only
  • Consider using sealed secrets for Kubernetes
Reference in New Issue View Git Blame Copy Permalink