#!/usr/bin/env bash set -euo pipefail PROJECT=aptivaai-dev ENV=dev add_ver() { local name="$1" ; shift gcloud secrets versions add "${name}_${ENV}" --data-file=- --project="$PROJECT" >/dev/null echo "βœ… ${name}_${ENV} rotated" } echo "πŸ” Rotating DEV secrets in ${PROJECT}" # ── Generate fresh randoms openssl rand -hex 32 | add_ver JWT_SECRET # ── Paste new third-party keys (press Enter to skip any you don't want to rotate) read -s -p "OPENAI_API_KEY_${ENV}: " OPENAI && echo [[ -n "${OPENAI}" ]] && printf "%s" "$OPENAI" | add_ver OPENAI_API_KEY read -p "ONET_USERNAME_${ENV}: " ONETU && echo [[ -n "${ONETU}" ]] && printf "%s" "$ONETU" | add_ver ONET_USERNAME read -s -p "ONET_PASSWORD_${ENV}: " ONETP && echo [[ -n "${ONETP}" ]] && printf "%s" "$ONETP" | add_ver ONET_PASSWORD read -s -p "STRIPE_SECRET_KEY_${ENV}: " SSK && echo [[ -n "${SSK}" ]] && printf "%s" "$SSK" | add_ver STRIPE_SECRET_KEY read -p "STRIPE_PUBLISHABLE_KEY_${ENV}: " SPK && echo [[ -n "${SPK}" ]] && printf "%s" "$SPK" | add_ver STRIPE_PUBLISHABLE_KEY read -s -p "STRIPE_WH_SECRET_${ENV}: " SWH && echo [[ -n "${SWH}" ]] && printf "%s" "$SWH" | add_ver STRIPE_WH_SECRET read -s -p "SUPPORT_SENDGRID_API_KEY_${ENV}: " SG && echo [[ -n "${SG}" ]] && printf "%s" "$SG" | add_ver SUPPORT_SENDGRID_API_KEY read -s -p "EMAIL_INDEX_SECRET_${ENV}: " EIDX && echo [[ -n "${EIDX}" ]] && printf "%s" "$EIDX" | add_ver EMAIL_INDEX_SECRET read -p "TWILIO_ACCOUNT_SID_${ENV}: " TSID && echo [[ -n "${TSID}" ]] && printf "%s" "$TSID" | add_ver TWILIO_ACCOUNT_SID read -s -p "TWILIO_AUTH_TOKEN_${ENV}: " TAUT && echo [[ -n "${TAUT}" ]] && printf "%s" "$TAUT" | add_ver TWILIO_AUTH_TOKEN read -p "TWILIO_MESSAGING_SERVICE_SID_${ENV}: " TMSS && echo [[ -n "${TMSS}" ]] && printf "%s" "$TMSS" | add_ver TWILIO_MESSAGING_SERVICE_SID # Optional: rotate Maps if it was in the leaked image read -s -p "GOOGLE_MAPS_API_KEY_${ENV} (optional): " GMAPS && echo [[ -n "${GMAPS}" ]] && printf "%s" "$GMAPS" | add_ver GOOGLE_MAPS_API_KEY echo "πŸ” Rebuilding DEV with fresh secrets…" ENV=dev ./deploy_all.sh echo "πŸ§ͺ Verifying runtime env inside containers:" docker compose exec -T server1 sh -lc 'printenv | egrep "JWT_SECRET|OPENAI|ONET|STRIPE_(SECRET|PUBLISH|WH)|SENDGRID|EMAIL_INDEX|TWILIO|TOKEN_MAX_AGE_MS|ACCESS_COOKIE_NAME|COOKIE_(SECURE|SAMESITE)"' echo "βœ… Done."