rotate-secretslisted

# rotate-secrets — Atomic Secret Rotation Rotate secrets in `~/.hermes/.env`, propagate the new values to every service that consumes them, and restart only the affected gateways. ## Procedure 1. **Parse the pattern.** Match against every key in `~/.hermes/.env`. Support glob syntax (`*`, `?`, `[abc]`) and the literal `all`. 2. **For each matched key:** a. Determine the secret kind from the key name: - `*_HMAC_*` or `*_WEBHOOK_SECRET` → generate `openssl rand -hex 32` - `*_API_KEY` → prompt the user to provide the new value (can't auto-rotate external APIs) - `GITHUB_*_TOKEN` → open https://github.com/settings/tokens and prompt for new PAT - `TWILIO_AUTH_TOKEN` → direct user to rotate in Twilio console and prompt for new value - Unknown pattern → prompt user for the kind b. Back up the current `.env` as `~/.hermes/.env.bak.YYYYMMDDHHMMSS` before any write. c. Update the `.env` atomically: ```bash sed -i "s/^$KEY=.*/$KEY=$NEW_VALUE/" ~/.hermes/.env ``` If the key is missing, append it. 3. **Propagate to external services.** For HMAC / webhook secrets, update the remote side: - **GitHub webhooks:** use `github` MCP to `PATCH /repos/{owner}/{repo}/hooks/{hook_id}` with `config.secret` - **Twilio:** user-guided — we don't touch Twilio SMS webhook config automatically - **Slack:** user-guided — rotate signing secret in App Manifest - **Discord:** user-guided — rotate public key in Developer Portal