Prompt #146

Agent Token Rotation Procedure

System · openai/gpt-4.1

5/5

Variables: agent_role, date
Tags: stack-aware,gitea,token,rotation,security,ap3
Source: research-2026-05-01-stack-aware
Use count: 0
Created: 2026-05-01T18:30:48.776731+00:00
Updated: 2026-05-01T18:30:48.776731+00:00

Content

Rotate the Gitea token for agent role {agent_role} stored at /etc/gitea-tokens/{agent_role}.token.

Procedure (per AP3 secrets policy):
1. Generate new token in Gitea UI (ubuadmin org, Settings > Applications) or via API:
   `curl -X POST https://git.joelduss.xyz/api/v1/users/{agent_role}/tokens      -H "Authorization: Basic <base64-admin>"      -d '{{"name":"agent-{agent_role}-{date}"}}'`
2. Base64-encode for Basic auth: `echo -n "agent-{agent_role}:<hex_token>" | base64`
3. Update token file: `echo "<base64>" > /etc/gitea-tokens/{agent_role}.token && chmod 0600 /etc/gitea-tokens/{agent_role}.token`
4. Revoke old token in Gitea
5. Restart consumers: any service reading the token file (check /etc/gitea-tokens/ dependents)
6. Verify: `bin/flight-recorder verify` — flight-recorder uses the token to post audit entries

Rotation schedule: quarterly minimum; immediately if AP3 secret-scan flags a leak.