Athas Boilerplate

Secrets Rotation

internal

Standardized credential rotation workflow and leak response.

Standard rotation flow

  1. Generate new credential.
  2. Rotate in non-production first.
  3. Validate affected flows.
  4. Promote to production.
  5. Revoke old credential after verification.

Rules

  • Prefer overlap windows when provider supports dual keys.
  • Keep rollback path during rotation.
  • Record evidence: timestamps, environments, verification output.

Leak response

  1. Rotate immediately.
  2. Revoke compromised secret.
  3. audit usage window.
  4. escalate to incident process if impact is non-trivial.

Detailed operations copy: docs/runbooks/secrets-rotation.md

On this page

Standard rotation flowRulesLeak response