161ef94b4f
Check engine pin consistency / Dockerfile / CI pin consistency (push) Successful in 8s
Sirius CI/CD Pipeline / Detect Changes (push) Successful in 23s
Validate Docker Configuration / Validate Docker Compose Configuration (push) Successful in 47s
Sirius CI/CD Pipeline / Build API (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Build UI (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Engine Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Merge API Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Merge UI Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Build Engine (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Build Infra (${{ matrix.service }}, ${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-postgres) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-rabbitmq) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-valkey) (push) Has been cancelled
Sirius CI/CD Pipeline / Integration Test (push) Has been cancelled
Sirius CI/CD Pipeline / Public Stack Contract (push) Has been cancelled
Sirius CI/CD Pipeline / Dispatch Demo Deployment (sirius-demo branch) (push) Has been cancelled
Sirius CI/CD Pipeline / Dispatch Demo Canary (main branch) (push) Has been cancelled
Sirius CI/CD Pipeline / Guard Registry Namespace (push) Has been cancelled
3.5 KiB
3.5 KiB
title, description, template, llm_context, categories, tags, related_docs
| title | description | template | llm_context | categories | tags | related_docs | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| API Key Operations Runbook | Production runbook for stateless service API key rotation, recovery, and incident response. | TEMPLATE.guide | high |
|
|
|
API Key Operations Runbook
This runbook defines production-safe operations for Sirius service API keys.
Scope
Applies to service-to-service credential SIRIUS_API_KEY used by:
sirius-apisirius-ui(server-side tRPC -> API calls)sirius-engineand agent/scanner API clients
Baseline Invariants
SIRIUS_API_KEYmust be non-empty in production.- Go API must reject requests without a valid
X-API-Key. - Only
/healthis public. - Root service key validation is stateless from runtime environment configuration.
- Valkey stores only dynamic/user-generated API key records.
Rotation Procedure (No Downtime)
1) Create new key
- Authenticate as admin in UI.
- Create a new API key in Settings.
- Record:
- key value (shown once)
- key id/hash
- label
2) Deploy new key to services
- Update deployment secret store or environment value for
SIRIUS_API_KEYwith the new key. - Roll out services in order:
sirius-apisirius-uisirius-engine
- Validate:
- API 401 rate does not spike.
- UI can read/write through tRPC.
- scanner/agent host submissions continue.
3) Revoke old key
- After rollout and validation period, revoke old key in UI.
- Confirm old key returns 401.
- Close rotation ticket.
Incident: Valkey Data Loss
Symptoms:
- sudden 401s for user-generated keys
- API key list empty
- dynamic key operations fail while root key requests still succeed
Recovery:
- Restore Valkey from backup if available.
- If no backup:
- ensure production
SIRIUS_API_KEYis correctly set for all services. - restart
sirius-apifirst; root key path remains stateless.
- ensure production
- Restart
sirius-uiandsirius-engine. - Validate end-to-end operations and security harness results.
Incident: Root Key Mismatch (Configuration Drift)
Symptoms:
- services return 401 with old key after key rotation
- env values differ between
sirius-ui,sirius-api, andsirius-engine
Recovery:
- Confirm deployed
SIRIUS_API_KEYvalue in runtime environment. - Restart
sirius-api, thensirius-uiandsirius-engine. - Re-check key validation success for deployed root key.
- If still failing, capture API logs and run security harness
auth-surfaceandapisuites.
Incident: Unauthorized Agent/Scanner API Writes
Symptoms:
- scanner/agent host submissions return 401
Recovery:
- Verify
SIRIUS_API_KEYis present in engine/scanner/agent runtime. - Verify clients send
X-API-Key. - Validate key exists in API key list and is not revoked.
- Roll service restart after secret correction.
Validation Commands
Run security checks from repository root:
cd testing/security
go run . --suite api
go run . --suite trpc
go run . --suite auth-surface
Operational Checklist
SIRIUS_API_KEYsecret exists and is non-empty in production.- API middleware accepts configured root key on non-health routes.
- UI + engine are using the same active service key.
- Old keys are revoked only after rollout validation.
- Recovery procedure for config drift or Valkey loss is documented in incident ticket.