# AGM Phase 1 Secrets Migration Backlog Date: 2026-04-18 Phase: 1 (Days 1-14) ## Objective Eliminate hardcoded secrets from code paths and move to environment-driven configuration with least-privilege controls. ## Work Items ## S1. Inventory and Classification - Status: COMPLETED (2026-04-18) - Identify credentials, API keys, webhook tokens, and DB secrets in: - CRM scraper apps - Strategic command-center APIs - KPI/chat integrations - Classify each secret by criticality: P0, P1, P2. - Evidence: AGM_PHASE1_SECRET_INVENTORY_MATRIX_2026-04-18.md ## S2. Environment Variable Standard - Status: IN PROGRESS - Define variable names and scope rules: - Runtime-only secret values - Non-secret config separated from secret config - Environment-specific overrides (dev/stage/prod) - Evidence: Environment variable manifest defined in AGM_PHASE1_SECRET_INVENTORY_MATRIX_2026-04-18.md - Evidence: Runtime bootstrap guide and templates published: - AGM_PHASE1_ENV_BOOTSTRAP_RUNBOOK_2026-04-18.md - .env.enterprise.template (agmnetwork) - ../crm/.env.enterprise.template ## S3. Refactor and Fallback Safety - Status: IN PROGRESS - Replace direct literals with getenv lookups. - Add explicit fail-fast for missing P0 secrets. - Keep safe defaults only for non-sensitive values. - Prioritized order: S-008, S-005, S-006, S-007, S-001, S-002, S-003, S-004. - Execution evidence (2026-04-18): - Removed default token fallback in webhook/export/dispatch APIs. - Removed hardcoded chat DB credentials in SLA dispatch/acknowledgement APIs. - Migrated command-center token handling to header-based requests and session-only storage. - Removed hardcoded key literals in CRM runtime variants and test scripts. ## S4. Access and Rotation Policy - Status: NOT STARTED - Define minimum rotation cadence by class. - Define role ownership for issuance and revocation. - Document emergency revocation procedure. ## S5. Validation and Evidence - Status: IN PROGRESS - Verify secure-mode endpoints still enforce auth. - Verify public endpoints do not leak secret-derived details. - Record validation evidence in Phase 1 checklist. - Validation script ready: scripts/smoke-test-phase1-security.ps1 - Execution evidence (2026-04-18): - Baseline (no tokens configured): endpoints returned HTTP 500 fail-fast misconfiguration responses. - Authenticated validation: missing token returned HTTP 403, valid header token returned HTTP 200. - Governance audit automation report: AGM_30_60_90_GOVERNANCE_AUDIT_REPORT_2026-04-18_2050.md (PASS). - API contract baseline report: AGM_API_CONTRACT_BASELINE_REPORT_2026-04-18_2049.md (14 PASS / 0 FAIL). ## Done Definition - P0 hardcoded secrets removed from active code paths. - Environment variable manifest approved. - Validation evidence recorded and signed off.