# Gate 01 — Secret management

**State at `v1.1.0`: ✅ PASS.**

## Required items

| Item                                                                                        | Required | State                                             |
| ------------------------------------------------------------------------------------------- | -------- | ------------------------------------------------- |
| Trufflehog `--only-verified` = 0 on `main`                                                  | yes      | ✅ PASS                                            |
| Pre-commit gitleaks pinned ≥ v8.28                                                          | yes      | ✅ PASS                                            |
| CI gitleaks-action runs on every PR with `fetch-depth: 0`                                   | yes      | ✅ PASS                                            |
| `.env.example` files contain placeholders only                                              | yes      | ✅ PASS                                            |
| Production credentials sourced from a managed secret store (GitHub Actions secrets / Vault) | yes      | ✅ PASS — no static tokens in repo settings        |
| Credential rotation SLA documented (24h on exposure)                                        | yes      | ✅ PASS — see `SECURITY.md` + `SECRETS_AUDIT_*.md` |

## Rotation SLA

| Severity                          | Action                             | Time |
| --------------------------------- | ---------------------------------- | ---- |
| Verified secret in public commit  | Rotate at source + scrub history   | 24h  |
| Verified secret in private commit | Rotate at source                   | 7d   |
| Unverified high-entropy string    | Triage; rotate if reused elsewhere | 30d  |

## Process when a secret is found

```mermaid
flowchart TD
    A[Secret detected<br/>pre-commit / CI / external] --> B{Verified?}
    B -->|yes| C[Rotate at source<br/>within 24h]
    B -->|no| D[Open private issue<br/>triage 1 BD]
    C --> E[Scrub history<br/>git filter-repo]
    E --> F[Force-push main<br/>after announcement]
    F --> G[Log in SECRETS_AUDIT_<date>.md]
    D --> H{Reused elsewhere?}
    H -->|yes| C
    H -->|no| I[Document + close]
```

## Why it matters

The 2026-05-27 incident — 47 commits containing a verified live OpenAI key inside a vendored `examples/base/pb_data/data.db` — proved that scrubbing must be paired with prevention. Today the prevention is in place: pre-commit blocks client-side, CI blocks server-side, and the rotation log is reviewable.

## Evidence

* [`SECRETS_AUDIT_2026-05-27.md`](https://github.com/NKAP360-dev/edge-governance/blob/main/SECRETS_AUDIT_2026-05-27.md) — full scrub evidence.
* `.pre-commit-config.yaml` on `edge-app` `main` — gitleaks hook pinned.
* `.github/workflows/ci.yml` `secret-scan` job — runs gitleaks v8.28 with `fetch-depth: 0`.

## Compliance mapping

* ISO 27001 Annex A.8.28 (Secure coding) — gitleaks as compensating control.
* ISO 27001 Annex A.5.34 (Privacy / PII).
* DORA Art 8(2)(b) (Protection — separating secrets from source closes the most common breach vector).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.edge.nyami.fr/banking-readiness/gate-01-secret-management.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.