Key Rotation Register

Module 9, Lesson 9.3 · secrets inventory + rotation drill log · produces Section 4 of /capstone/security-posture.md

Save this as: /capstone/security-notes/key-rotation-register.md (print a physical copy for the rotation drill; keep one digital copy in your secrets notebook — never with the keys themselves).

Use it again: every 90 days, on every suspected leak, and on every onboarding of a new provider.

Three rules, non-negotiable:

No secret ever appears in a conversation.
Every key has a scope and a cap.
A leaked key is rotated, not patched.

Header

Student: Date:

The one store (where all secrets live):

(env vars, OS keychain, cloud provider vault — pick one and only one)

Part 1 — Secrets inventory

Every live key, across every provider

Include the cloud-provider key from Module 2, every third-party API key a plugin or skill uses, every MCP token, and any database credential an agent touches. If you find one you cannot name the scope or cap of, it is a candidate for rotation.

#	Key name	Provider	Stored in	Scope	Monthly cap	Last rotated	Next rotation due
1
2
3
4
5
6
7
8

Part 2 — Rotation drill log

Log of the one rotation you run this lesson

Default pick: the cloud-provider key from Module 2. Largest blast radius; most likely to have been pasted somewhere it should not have been over the previous eight lessons.

Provider

Key name / label

Old key (redacted fingerprint — last 4 characters only)

Reason for rotation (drill / suspected leak / calendar / other)

New key generated at (date / time)

Scope verified (which projects / endpoints it can reach)

Cap verified (dollar ceiling per month, from provider console)

Old key revoked at (date / time)

Verification test ran (describe: one request succeeded with new key; same request failed with old)

Notes / surprises

Part 3 — Section 4 draft

Copy this block into /capstone/security-posture.md. Fill in from Parts 1 and 2.

## 4. Secrets posture

**Where keys live (the one store):** __________________________________

**Rotation cadence:** every 90 days, plus immediately on any of the
red-flag triggers in Part 4 below.

**Per-key cap:** ________________ per month, set in the provider's
billing console. No key in my system can spend more than this in one
month, even if fully compromised.

**Emergency rotation trigger:** any of —
- a key appears in a transcript, screenshot, or commit;
- a provider sends an unusual-activity alert;
- I see a charge I did not recognize;
- a plugin or skill with credential access has been updated in a way
  I did not audit;
- any other circumstance where I am not sure whether the key is still
  private to me.

**Action on trigger:** rotate the key, do not patch.

Part 4 — Red-flag check

If any of these applies, rotate the key — do not argue about severity

Walk your own tools one by one. Claude Code CLI transcripts. Cowork-tab chat history. Screenshots on your desktop. Your GitHub account's public repositories. The .env file's git history. If any checkbox ends in "rotate," rotate before you finish this worksheet.

A key (or partial key) appears anywhere in a Claude Code CLI or Cowork-tab transcript. If yes → rotate.
A key appears in a screenshot saved on this machine or shared with anyone. If yes → rotate.
A key appears in a public commit (your repo, a gist, anywhere indexed). If yes → rotate.
A .env file was ever committed to git, even if later removed. If yes → rotate (git history is forever) and scrub the history.
A key was shared in a DM, email, or chat with another person (even a trusted one). If yes → rotate.
You cannot remember the last time you rotated a key that is more than 90 days old. If yes → rotate.

Section 4 ready-to-freeze checklist

Secrets inventory has a row for every key I actually use; scope and cap are filled for each.
Rotation drill log is complete: old key revoked, new key verified, test ran.
Section 4 draft pasted into /capstone/security-posture.md with placeholders replaced.
Red-flag check ran; any rotate-triggers were handled before I completed this worksheet.
The one store is named and I have not left a duplicate of any key anywhere else (including in my own notes).

This worksheet accompanies Lesson 9.3 of AI Architect Academy. The three rules (no secret in conversation, scope and cap, rotated not patched) and the red-flag triggers are concept. Provider-specific console paths (Anthropic Console, OpenAI, etc.) and per-OS keychain commands are recipe and live in /recipe-book/rotating-an-api-key.md and /recipe-book/setting-a-hard-cap-on-cloud-spend.md.