GIT-018 recommended repo-cleanliness

Sandbox keys rotation documented

Sandbox keys have rotation schedule and last rotation date in comments

Question to ask

"When were the sandbox keys last rotated — do you know?"

Verification guide

Severity: Recommended

Check .env.example or .env for rotation comments:

# Look for comments indicating last rotation or rotation schedule
grep -E "^#.*(rotat|updated|changed|expires)" .env.example .env 2>/dev/null

Expected pattern in env files:

# Sandbox Stripe key - rotate every 6 months - last rotated: 2026-01
STRIPE_SECRET_KEY=sk_test_xxx

# Dev database - rotate quarterly - last rotated: 2025-12
DATABASE_URL=postgres://dev:xxx@localhost/app

Pass criteria:

  • Sandbox keys have comments indicating rotation schedule
  • Comments include last rotation date
  • Rotation is happening on schedule (dates are recent)

Fail criteria:

  • No rotation comments on sandbox keys
  • Last rotation date is stale (over a year old)
  • No rotation policy documented

If missing, ask user: "Sandbox keys should be rotated periodically and documented. When were these last rotated? What's the rotation schedule?"

Evidence to capture:

  • Which keys have rotation comments
  • Last rotation dates
  • Whether rotation is current or overdue

Section

01. Git Repo Setup & Security

Infrastructure & Setup

← Previous

GIT-017

No credentials in repo

 Next →

GIT-019

No local engineer settings