1 · Pre-flight security hygiene (P0)

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: 1 · Pre-flight security hygiene (P0)
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/12-production/01-preflight/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 12
- step_number: 1
- est_time: ~45 min
- description: Never skip this — rotate every test-mode key and staging password that touched a chat or log, migrate plaintext credentials into a secrets manager, re-scope over-privileged service accounts, and record the audit.
- tags: codecanyon, laravel, security, secrets

## Execution rules (binding)
- This is step 1 of phase 12 (~45 min) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# 1 · Pre-flight security hygiene (P0)

## TL;DR

**Objective** — rotate every test-mode key and staging password that touched a chat or log, vault plaintext credentials, re-scope over-privileged service accounts, and record the audit, so no convenience credential from iteration becomes a liability the moment real traffic arrives.

:::note[User part + done-when]
**👤 User part** — this whole step is people-only: rotating keys in gateway dashboards, changing passwords in hosting panels, moving secrets into a password manager / vault, and narrowing API-key scopes are all browser/console actions an agent can't perform. An agent can draft the audit record, but the rotations themselves are yours.

**Done when** all test-mode keys + staging passwords are rotated (old values revoked), plaintext credentials live in a vault, service-account scopes are minimized, and the audit summary is committed. &nbsp;·&nbsp; **⏱ ~45 min** &nbsp;·&nbsp; 👤 user-driven (dashboards + vault).
:::

## Background

**Never skip this.** Every production deploy starts here. Staging and production are different security contexts: credentials that were convenient during iteration become liabilities the moment real traffic arrives.

:::danger[Treat anything pasted into an agent as compromised]
AI chat transcripts may be logged, cached, or backed up by the harness or any intermediary. Any key, password, or token that appeared in a chat or log should be considered exposed and rotated **before** production goes live — regardless of whether the session was "private".
:::

:::caution[Set the production Admin-Server posture before deploy]
The production server's monitoring agent must run in production mode, not a leftover staging posture. In `~/Admin-Server/config/server.env` on the **production** host, confirm:

- `SERVER_ENV="production"` — drives the production alert prefix and standard palette.
- `DIAGNOSTIC_MODE="false"` — terse alerts, no debug noise.
- `REDACT_PATHS="true"` — masks `$HOME` in alert payloads (privacy + security).

If any still carry staging values (`SERVER_ENV="staging"`, `DIAGNOSTIC_MODE="true"`), fix them **before** the production deploy, then confirm the displayed posture:

```bash
ssh <SSH_PRODUCTION_ALIAS> '~/Admin-Server/scripts/status.sh'
# Expected: ENV/REDACT/DIAGNOSTIC show production · true · false
```
:::

## Steps

### 1. Rotate every test-mode payment key

Roll each key that appeared in chat or log history, then revoke the old value at the source.

:::note[Who does this]
👤 **User** rotates keys in the gateway dashboard — a browser action an agent can't perform.
:::

<Steps>

1. **Roll each test-mode key** in the gateway dashboard, update the staging environment with the new value, and revoke the old key.

   - ✅ Every test-mode key is rotated and the old keys are revoked at the source.

</Steps>

### 2. Rotate all staging-side passwords

SMTP, database, and hosting-panel credentials — and any password that lived in a plaintext file.

:::note[Who does this]
👤 **User** changes each password in the hosting panel / provider console.
:::

<Steps>

1. **Rotate the staging-side passwords** — SMTP, database, hosting-panel, and anything that lived in a plaintext file.

   - ✅ All staging-side passwords are rotated.

</Steps>

### 3. Migrate plaintext credentials into a real secrets manager

Move every secret into the appropriate vault, then replace the plaintext store with pointers (or delete it and `.gitignore` it).

:::note[Who does this]
👤 **User** moves the secrets into a password manager / vault and removes the plaintext store.
:::

<Steps>

1. **Move every secret into the appropriate vault**, then replace the plaintext store with pointers — or delete it and `.gitignore` it.

   - ✅ Plaintext credentials are replaced with vault pointers (or deleted + gitignored).

</Steps>

### 4. Re-scope over-privileged service accounts

Narrow each API key and the deploy user to the minimum permissions they actually need.

:::note[Who does this]
👤 **User** edits scopes in each provider's console (payments, analytics, error tracking, deploy user).
:::

<Steps>

1. **Narrow each API key and the deploy user** — payments, analytics, error tracking — to the minimum permissions they actually need.

   - ✅ Every service-account scope is narrowed to the minimum.

</Steps>

### 5. Record the audit

Capture what changed so the rotation is auditable later. An agent can draft this record from your notes.

<Steps>

1. **Write the audit summary** in your customizations log — what was rotated, what moved to the vault, what was re-scoped, and any accepted exceptions with the reason.

   - ✅ The audit summary is committed.

</Steps>

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Test-mode keys rotated** — every test-mode payment key rolled; old keys revoked at the source.
- [ ] **👤 Staging passwords rotated** — SMTP, database, and hosting-panel credentials all changed.
- [ ] **👤 Credentials vaulted** — plaintext secrets replaced with vault pointers (or deleted + gitignored).
- [ ] **👤 Scopes minimized** — every API key and the deploy user narrowed to minimum permissions.
- [ ] **🔀 Audit recorded** — rotation/move/re-scope summary committed to the customizations log.

:::next[Next step]
[Release & deploy](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/12-production/02-release-and-deploy/)
:::

# 1 · Pre-flight security hygiene (P0)

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/12-production/01-preflight/

## TL;DR

**Objective** — rotate every test-mode key and staging password that touched a chat or log, vault plaintext credentials, re-scope over-privileged service accounts, and record the audit, so no convenience credential from iteration becomes a liability the moment real traffic arrives.

:::note[User part + done-when]
**👤 User part** — this whole step is people-only: rotating keys in gateway dashboards, changing passwords in hosting panels, moving secrets into a password manager / vault, and narrowing API-key scopes are all browser/console actions an agent can't perform. An agent can draft the audit record, but the rotations themselves are yours.

**Done when** all test-mode keys + staging passwords are rotated (old values revoked), plaintext credentials live in a vault, service-account scopes are minimized, and the audit summary is committed. &nbsp;·&nbsp; **⏱ ~45 min** &nbsp;·&nbsp; 👤 user-driven (dashboards + vault).
:::

## Background

**Never skip this.** Every production deploy starts here. Staging and production are different security contexts: credentials that were convenient during iteration become liabilities the moment real traffic arrives.

:::danger[Treat anything pasted into an agent as compromised]
AI chat transcripts may be logged, cached, or backed up by the harness or any intermediary. Any key, password, or token that appeared in a chat or log should be considered exposed and rotated **before** production goes live — regardless of whether the session was "private".
:::

:::caution[Set the production Admin-Server posture before deploy]
The production server's monitoring agent must run in production mode, not a leftover staging posture. In `~/Admin-Server/config/server.env` on the **production** host, confirm:

- `SERVER_ENV="production"` — drives the production alert prefix and standard palette.
- `DIAGNOSTIC_MODE="false"` — terse alerts, no debug noise.
- `REDACT_PATHS="true"` — masks `$HOME` in alert payloads (privacy + security).

If any still carry staging values (`SERVER_ENV="staging"`, `DIAGNOSTIC_MODE="true"`), fix them **before** the production deploy, then confirm the displayed posture:

```bash
ssh <SSH_PRODUCTION_ALIAS> '~/Admin-Server/scripts/status.sh'
# Expected: ENV/REDACT/DIAGNOSTIC show production · true · false
```
:::

## Steps

### 1. Rotate every test-mode payment key

Roll each key that appeared in chat or log history, then revoke the old value at the source.

:::note[Who does this]
👤 **User** rotates keys in the gateway dashboard — a browser action an agent can't perform.
:::

<Steps>

1. **Roll each test-mode key** in the gateway dashboard, update the staging environment with the new value, and revoke the old key.

   - ✅ Every test-mode key is rotated and the old keys are revoked at the source.

</Steps>

### 2. Rotate all staging-side passwords

SMTP, database, and hosting-panel credentials — and any password that lived in a plaintext file.

:::note[Who does this]
👤 **User** changes each password in the hosting panel / provider console.
:::

<Steps>

1. **Rotate the staging-side passwords** — SMTP, database, hosting-panel, and anything that lived in a plaintext file.

   - ✅ All staging-side passwords are rotated.

</Steps>

### 3. Migrate plaintext credentials into a real secrets manager

Move every secret into the appropriate vault, then replace the plaintext store with pointers (or delete it and `.gitignore` it).

:::note[Who does this]
👤 **User** moves the secrets into a password manager / vault and removes the plaintext store.
:::

<Steps>

1. **Move every secret into the appropriate vault**, then replace the plaintext store with pointers — or delete it and `.gitignore` it.

   - ✅ Plaintext credentials are replaced with vault pointers (or deleted + gitignored).

</Steps>

### 4. Re-scope over-privileged service accounts

Narrow each API key and the deploy user to the minimum permissions they actually need.

:::note[Who does this]
👤 **User** edits scopes in each provider's console (payments, analytics, error tracking, deploy user).
:::

<Steps>

1. **Narrow each API key and the deploy user** — payments, analytics, error tracking — to the minimum permissions they actually need.

   - ✅ Every service-account scope is narrowed to the minimum.

</Steps>

### 5. Record the audit

Capture what changed so the rotation is auditable later. An agent can draft this record from your notes.

<Steps>

1. **Write the audit summary** in your customizations log — what was rotated, what moved to the vault, what was re-scoped, and any accepted exceptions with the reason.

   - ✅ The audit summary is committed.

</Steps>

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Test-mode keys rotated** — every test-mode payment key rolled; old keys revoked at the source.
- [ ] **👤 Staging passwords rotated** — SMTP, database, and hosting-panel credentials all changed.
- [ ] **👤 Credentials vaulted** — plaintext secrets replaced with vault pointers (or deleted + gitignored).
- [ ] **👤 Scopes minimized** — every API key and the deploy user narrowed to minimum permissions.
- [ ] **🔀 Audit recorded** — rotation/move/re-scope summary committed to the customizations log.

:::next[Next step]
[Release & deploy](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/12-production/02-release-and-deploy/)
:::

TL;DR

Objective — rotate every test-mode key and staging password that touched a chat or log, vault plaintext credentials, re-scope over-privileged service accounts, and record the audit, so no convenience credential from iteration becomes a liability the moment real traffic arrives.

Background

Never skip this. Every production deploy starts here. Staging and production are different security contexts: credentials that were convenient during iteration become liabilities the moment real traffic arrives.

The production server’s monitoring agent must run in production mode, not a leftover staging posture. In ~/Admin-Server/config/server.env on the production host, confirm:

SERVER_ENV="production" — drives the production alert prefix and standard palette.
DIAGNOSTIC_MODE="false" — terse alerts, no debug noise.
REDACT_PATHS="true" — masks $HOME in alert payloads (privacy + security).

If any still carry staging values (SERVER_ENV="staging", DIAGNOSTIC_MODE="true"), fix them before the production deploy, then confirm the displayed posture:

ssh <SSH_PRODUCTION_ALIAS> '~/Admin-Server/scripts/status.sh'
# Expected: ENV/REDACT/DIAGNOSTIC show production · true · false

Steps

1. Rotate every test-mode payment key

Roll each key that appeared in chat or log history, then revoke the old value at the source.

Roll each test-mode key in the gateway dashboard, update the staging environment with the new value, and revoke the old key.
- ✅ Every test-mode key is rotated and the old keys are revoked at the source.

2. Rotate all staging-side passwords

SMTP, database, and hosting-panel credentials — and any password that lived in a plaintext file.

Rotate the staging-side passwords — SMTP, database, hosting-panel, and anything that lived in a plaintext file.
- ✅ All staging-side passwords are rotated.

3. Migrate plaintext credentials into a real secrets manager

Move every secret into the appropriate vault, then replace the plaintext store with pointers (or delete it and .gitignore it).

Move every secret into the appropriate vault, then replace the plaintext store with pointers — or delete it and .gitignore it.
- ✅ Plaintext credentials are replaced with vault pointers (or deleted + gitignored).

4. Re-scope over-privileged service accounts

Narrow each API key and the deploy user to the minimum permissions they actually need.

Narrow each API key and the deploy user — payments, analytics, error tracking — to the minimum permissions they actually need.
- ✅ Every service-account scope is narrowed to the minimum.

5. Record the audit

Capture what changed so the rotation is auditable later. An agent can draft this record from your notes.

Write the audit summary in your customizations log — what was rotated, what moved to the vault, what was re-scoped, and any accepted exceptions with the reason.
- ✅ The audit summary is committed.

Checklist

Do not mark this step done until every box below is checked.

👤 Test-mode keys rotated — every test-mode payment key rolled; old keys revoked at the source.
👤 Staging passwords rotated — SMTP, database, and hosting-panel credentials all changed.
👤 Credentials vaulted — plaintext secrets replaced with vault pointers (or deleted + gitignored).
👤 Scopes minimized — every API key and the deploy user narrowed to minimum permissions.
🔀 Audit recorded — rotation/move/re-scope summary committed to the customizations log.

Release & deploy

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: 1 · Pre-flight security hygiene (P0)
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/12-production/01-preflight/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 12
- step_number: 1
- est_time: ~45 min
- description: Never skip this — rotate every test-mode key and staging password that touched a chat or log, migrate plaintext credentials into a secrets manager, re-scope over-privileged service accounts, and record the audit.
- tags: codecanyon, laravel, security, secrets

## Execution rules (binding)
- This is step 1 of phase 12 (~45 min) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# 1 · Pre-flight security hygiene (P0)

## TL;DR

**Objective** — rotate every test-mode key and staging password that touched a chat or log, vault plaintext credentials, re-scope over-privileged service accounts, and record the audit, so no convenience credential from iteration becomes a liability the moment real traffic arrives.

:::note[User part + done-when]
**👤 User part** — this whole step is people-only: rotating keys in gateway dashboards, changing passwords in hosting panels, moving secrets into a password manager / vault, and narrowing API-key scopes are all browser/console actions an agent can't perform. An agent can draft the audit record, but the rotations themselves are yours.

**Done when** all test-mode keys + staging passwords are rotated (old values revoked), plaintext credentials live in a vault, service-account scopes are minimized, and the audit summary is committed. &nbsp;·&nbsp; **⏱ ~45 min** &nbsp;·&nbsp; 👤 user-driven (dashboards + vault).
:::

## Background

**Never skip this.** Every production deploy starts here. Staging and production are different security contexts: credentials that were convenient during iteration become liabilities the moment real traffic arrives.

:::danger[Treat anything pasted into an agent as compromised]
AI chat transcripts may be logged, cached, or backed up by the harness or any intermediary. Any key, password, or token that appeared in a chat or log should be considered exposed and rotated **before** production goes live — regardless of whether the session was "private".
:::

:::caution[Set the production Admin-Server posture before deploy]
The production server's monitoring agent must run in production mode, not a leftover staging posture. In `~/Admin-Server/config/server.env` on the **production** host, confirm:

- `SERVER_ENV="production"` — drives the production alert prefix and standard palette.
- `DIAGNOSTIC_MODE="false"` — terse alerts, no debug noise.
- `REDACT_PATHS="true"` — masks `$HOME` in alert payloads (privacy + security).

If any still carry staging values (`SERVER_ENV="staging"`, `DIAGNOSTIC_MODE="true"`), fix them **before** the production deploy, then confirm the displayed posture:

```bash
ssh <SSH_PRODUCTION_ALIAS> '~/Admin-Server/scripts/status.sh'
# Expected: ENV/REDACT/DIAGNOSTIC show production · true · false
```
:::

## Steps

### 1. Rotate every test-mode payment key

Roll each key that appeared in chat or log history, then revoke the old value at the source.

:::note[Who does this]
👤 **User** rotates keys in the gateway dashboard — a browser action an agent can't perform.
:::

<Steps>

1. **Roll each test-mode key** in the gateway dashboard, update the staging environment with the new value, and revoke the old key.

   - ✅ Every test-mode key is rotated and the old keys are revoked at the source.

</Steps>

### 2. Rotate all staging-side passwords

SMTP, database, and hosting-panel credentials — and any password that lived in a plaintext file.

:::note[Who does this]
👤 **User** changes each password in the hosting panel / provider console.
:::

<Steps>

1. **Rotate the staging-side passwords** — SMTP, database, hosting-panel, and anything that lived in a plaintext file.

   - ✅ All staging-side passwords are rotated.

</Steps>

### 3. Migrate plaintext credentials into a real secrets manager

Move every secret into the appropriate vault, then replace the plaintext store with pointers (or delete it and `.gitignore` it).

:::note[Who does this]
👤 **User** moves the secrets into a password manager / vault and removes the plaintext store.
:::

<Steps>

1. **Move every secret into the appropriate vault**, then replace the plaintext store with pointers — or delete it and `.gitignore` it.

   - ✅ Plaintext credentials are replaced with vault pointers (or deleted + gitignored).

</Steps>

### 4. Re-scope over-privileged service accounts

Narrow each API key and the deploy user to the minimum permissions they actually need.

:::note[Who does this]
👤 **User** edits scopes in each provider's console (payments, analytics, error tracking, deploy user).
:::

<Steps>

1. **Narrow each API key and the deploy user** — payments, analytics, error tracking — to the minimum permissions they actually need.

   - ✅ Every service-account scope is narrowed to the minimum.

</Steps>

### 5. Record the audit

Capture what changed so the rotation is auditable later. An agent can draft this record from your notes.

<Steps>

1. **Write the audit summary** in your customizations log — what was rotated, what moved to the vault, what was re-scoped, and any accepted exceptions with the reason.

   - ✅ The audit summary is committed.

</Steps>

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Test-mode keys rotated** — every test-mode payment key rolled; old keys revoked at the source.
- [ ] **👤 Staging passwords rotated** — SMTP, database, and hosting-panel credentials all changed.
- [ ] **👤 Credentials vaulted** — plaintext secrets replaced with vault pointers (or deleted + gitignored).
- [ ] **👤 Scopes minimized** — every API key and the deploy user narrowed to minimum permissions.
- [ ] **🔀 Audit recorded** — rotation/move/re-scope summary committed to the customizations log.

:::next[Next step]
[Release & deploy](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/12-production/02-release-and-deploy/)
:::

# 1 · Pre-flight security hygiene (P0)

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/12-production/01-preflight/

## TL;DR

**Objective** — rotate every test-mode key and staging password that touched a chat or log, vault plaintext credentials, re-scope over-privileged service accounts, and record the audit, so no convenience credential from iteration becomes a liability the moment real traffic arrives.

:::note[User part + done-when]
**👤 User part** — this whole step is people-only: rotating keys in gateway dashboards, changing passwords in hosting panels, moving secrets into a password manager / vault, and narrowing API-key scopes are all browser/console actions an agent can't perform. An agent can draft the audit record, but the rotations themselves are yours.

**Done when** all test-mode keys + staging passwords are rotated (old values revoked), plaintext credentials live in a vault, service-account scopes are minimized, and the audit summary is committed. &nbsp;·&nbsp; **⏱ ~45 min** &nbsp;·&nbsp; 👤 user-driven (dashboards + vault).
:::

## Background

**Never skip this.** Every production deploy starts here. Staging and production are different security contexts: credentials that were convenient during iteration become liabilities the moment real traffic arrives.

:::danger[Treat anything pasted into an agent as compromised]
AI chat transcripts may be logged, cached, or backed up by the harness or any intermediary. Any key, password, or token that appeared in a chat or log should be considered exposed and rotated **before** production goes live — regardless of whether the session was "private".
:::

:::caution[Set the production Admin-Server posture before deploy]
The production server's monitoring agent must run in production mode, not a leftover staging posture. In `~/Admin-Server/config/server.env` on the **production** host, confirm:

- `SERVER_ENV="production"` — drives the production alert prefix and standard palette.
- `DIAGNOSTIC_MODE="false"` — terse alerts, no debug noise.
- `REDACT_PATHS="true"` — masks `$HOME` in alert payloads (privacy + security).

If any still carry staging values (`SERVER_ENV="staging"`, `DIAGNOSTIC_MODE="true"`), fix them **before** the production deploy, then confirm the displayed posture:

```bash
ssh <SSH_PRODUCTION_ALIAS> '~/Admin-Server/scripts/status.sh'
# Expected: ENV/REDACT/DIAGNOSTIC show production · true · false
```
:::

## Steps

### 1. Rotate every test-mode payment key

Roll each key that appeared in chat or log history, then revoke the old value at the source.

:::note[Who does this]
👤 **User** rotates keys in the gateway dashboard — a browser action an agent can't perform.
:::

<Steps>

1. **Roll each test-mode key** in the gateway dashboard, update the staging environment with the new value, and revoke the old key.

   - ✅ Every test-mode key is rotated and the old keys are revoked at the source.

</Steps>

### 2. Rotate all staging-side passwords

SMTP, database, and hosting-panel credentials — and any password that lived in a plaintext file.

:::note[Who does this]
👤 **User** changes each password in the hosting panel / provider console.
:::

<Steps>

1. **Rotate the staging-side passwords** — SMTP, database, hosting-panel, and anything that lived in a plaintext file.

   - ✅ All staging-side passwords are rotated.

</Steps>

### 3. Migrate plaintext credentials into a real secrets manager

Move every secret into the appropriate vault, then replace the plaintext store with pointers (or delete it and `.gitignore` it).

:::note[Who does this]
👤 **User** moves the secrets into a password manager / vault and removes the plaintext store.
:::

<Steps>

1. **Move every secret into the appropriate vault**, then replace the plaintext store with pointers — or delete it and `.gitignore` it.

   - ✅ Plaintext credentials are replaced with vault pointers (or deleted + gitignored).

</Steps>

### 4. Re-scope over-privileged service accounts

Narrow each API key and the deploy user to the minimum permissions they actually need.

:::note[Who does this]
👤 **User** edits scopes in each provider's console (payments, analytics, error tracking, deploy user).
:::

<Steps>

1. **Narrow each API key and the deploy user** — payments, analytics, error tracking — to the minimum permissions they actually need.

   - ✅ Every service-account scope is narrowed to the minimum.

</Steps>

### 5. Record the audit

Capture what changed so the rotation is auditable later. An agent can draft this record from your notes.

<Steps>

1. **Write the audit summary** in your customizations log — what was rotated, what moved to the vault, what was re-scoped, and any accepted exceptions with the reason.

   - ✅ The audit summary is committed.

</Steps>

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Test-mode keys rotated** — every test-mode payment key rolled; old keys revoked at the source.
- [ ] **👤 Staging passwords rotated** — SMTP, database, and hosting-panel credentials all changed.
- [ ] **👤 Credentials vaulted** — plaintext secrets replaced with vault pointers (or deleted + gitignored).
- [ ] **👤 Scopes minimized** — every API key and the deploy user narrowed to minimum permissions.
- [ ] **🔀 Audit recorded** — rotation/move/re-scope summary committed to the customizations log.

:::next[Next step]
[Release & deploy](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/12-production/02-release-and-deploy/)
:::