# 2026-07-15 -- credential/env consolidation into ~/vr1-office1-creds/ (SEC-009)

Operator-approved. Closes a credential SPRAWL + world-readable exposure on vcloud, and establishes
the standing per-site consolidation convention.

## The finding

Three env files sat loose in `~`, outside the consolidated `~/vr1-office1-creds/` folder:

    ~/.vr1-netbox.env    0600   upstream/v1-draft NetBox token (NETBOX_URL + NETBOX_TOKEN)
    ~/vr1-office1.env    0600   OPNsense edge config (WAN/LAN/DHCP/root-hash/SSH-key vars)
    ~/vr1-stage1.env     0664   OpenTofu TF_VAR_* -- INCLUDING TF_VAR_maas_api_key (a MAAS secret)

`vr1-stage1.env` at **0664 (group/world-readable)** held a MAAS API key -- a real exposure, not just
untidiness. `~/vr1-office1-creds/tailscale-authkey.txt` was also 0664. None were created this
session (mtimes 2026-07-10..12); a prior session in this continuity scattered them.

## What was done (files OUTSIDE the repo; not committed, recorded here)

- Moved all three into `~/vr1-office1-creds/` (`vr1-netbox.env`, `vr1-office1.env`, `vr1-stage1.env`).
- `chmod 600` on every sensitive file in the folder -- fixed the two 0664 files.
- No file CONTENTS were read; key NAMES only were listed to identify each file's purpose.
- Fixed a D-119 follow-up the sweep could not reach (it is outside the repo): `vr1-stage1.env` had
  `TF_VAR_dc1_pool_path` / `TF_VAR_dc2_pool_path` -> renamed to `TF_VAR_vr1_dc0_pool_path` /
  `TF_VAR_vr1_dc1_pool_path` to match the renamed OpenTofu variables.

## Repo changes (committed)

- Active path references updated old `~/.vr1-netbox.env` -> `~/vr1-office1-creds/vr1-netbox.env`:
  `netbox/prod-draft-dump.py` (docstring + usage + error message), `runbooks/dc-dc-phase1-office1-
  standup.md` (Step 10b table), `docs/vr1-office1-as-built.md`, `docs/session-ledger.md`.
  Dated changelog/incident records that reference the OLD paths are left as historical snapshots.
- `docs/vr1-office1-as-built.md` secrets table: added the three env files + the consolidation note.
  Corrected a wrong assumption recorded mid-session -- the SANDBOX NetBox token is NOT on vcloud; it
  is on office1-netbox (`/root/netbox-secrets/`). `vr1-netbox.env` is the UPSTREAM token only.
- `docs/security-ledger.md`: SEC-009 (this finding, REMEDIATED) + the STANDING CONVENTION.

## Standing convention (SEC-009)

Per-site: ALL sensitive + env/config files live in one `~/<site>-creds/` folder (0700; files 0600;
public keys 0644). No loose env files in `~`. `~/vr1-dc0-creds/` and `~/vr1-dc1-creds/` follow the
same pattern FROM DAY ONE when DC deployment starts. This is a DATA-LOSS / continuity control first:
scattered creds get lost between sessions and after compaction. Real credential hardening (rotation,
revocation) stays deferred to post-teardown redeploy cycles -- this is a closed in-house test.

Also seeded agent memory (was empty): the creds convention and the closed-test posture, so neither
is re-lost at the next compaction.

## Revert

Repo edits: `git revert <this commit>`. The file moves are outside the repo -- to reverse, move the
three env files back to `~` (not recommended: it re-opens the sprawl and the 0664 exposure).
