Rotation Routing Matrix

Owner: sre-agent Last updated: 2026-05-04 UTC Consumed by: raxx-console rotation UI (#300) — UI links to vendor-specific SOP for any manual step

CF token rename (#754): New CF_<FUNCTION>_<SCOPE> names are the canonical names as of 2026-05-01. Legacy names continue to work until the cleanup card removes them. Rows show both names during the migration window.

This index is the canonical map from credential name → vendor → rotation mode → SOP path → cadence. The console rotation UI renders directly from this matrix (or its YAML/JSON-rendered equivalent under console/data/rotation-matrix.{yaml,json} once feature-developer wires it up).

Modes: - programmatic — fully automated; UI can trigger end-to-end without operator console interaction (still requires TOTP re-elevation per ADR 0021) - operator-assisted — UI prepares the rotation but the operator must complete one or more steps in the vendor's portal/CLI; UI deeplinks to the SOP - auto-rotated — vendor handles rotation transparently; SOP is informational only

Matrix

Mode counts

• programmatic: 5 SOPs covering 8 credential rows in the matrix
• operator-assisted: 9 SOPs covering 15 credential rows (added CF_WAF_EDIT_RAXX_APP + CF_DNS_EDIT_GETRAXX_COM 2026-05-04)
• auto-rotated: 1 row (informational)

How the rotation UI consumes this matrix

The rotation UI reads the matrix at render time and: 1. For each row, displays the credential name, vendor, status badge (healthy/stale/expiring/expired/unknown), days-since-last-rotation, and cadence. 2. Mode = programmatic → the "Rotate now" button triggers the UI's automated pipeline (#253). On any operator-required clarification (e.g., a vendor doc deeplink), the UI reveals the SOP link. 3. Mode = operator-assisted → the "Rotate now" button opens the SOP in a side panel and pre-fills as much of the rotation as possible (e.g., generates rotation IDs, opens vendor URL in a new tab). The operator works through the SOP, then returns to the UI to confirm completion. The UI captures the audit log entry on completion. 4. Mode = auto-rotated → no button; the UI shows the rotation status as informational.

Operator follow-ups (to populate "Last rotated" / "Next due")

The "Last rotated" and "Next due" columns are TBD because: - This SOP set is being authored before the rotation pipeline (#253) and console UI (#300) ship. - Once the console UI is live, the Infisical metadata (updatedAt) becomes the source of truth and these columns can be auto-populated. - For credentials that have not been rotated since onboarding, the operator should populate the "Last rotated" date based on their records and trigger a rotation if the value is older than the cadence.

Update protocol

• When a vendor changes their rotation API or UI, update the SOP, bump the Last validated date, and add a row to the SOP's "Vendor doc references" section.
• When a new credential is onboarded, add a row to this matrix and link to the appropriate SOP. If the vendor is new, write a new SOP first.
• When a credential is decommissioned, mark the row as [archived] rather than deleting it — preserves rotation history.
• Quarterly review: sre-agent walks the matrix, confirms each SOP's Last validated is within 6 months, refreshes any stale ones.

Operator answers to SRE follow-up questions (2026-04-25)

1. GitHub App provisioned?

No — Raxx GitHub App is not provisioned as of 2026-04-25. Plan: stay on PATs for v1; revisit GitHub App provisioning once we have ≥2 automated systems writing to the GitHub API. The github-app-installation-token.md SOP is informational/aspirational until then.

2. Dyn DNS — still in use?

Yes — still on Dyn for some records as of 2026-04-25. Vendor docs are degrading post-Oracle acquisition; not yet planned for migration. Keep the SOP active. Follow-up to file: migrate off Dyn before vendor support degrades further.

3. AWS IAM users + break-glass storage

• IAM users with stored access keys: claude-infisical-bootstrap only. Created by Kristerpher; sole IAM identity at present.
• Break-glass v1: Credentials stored in a Google Drive folder owned by Kristerpher, restricted to him only. SOP at docs/ops/runbooks/break-glass.md (to be written) will document the recovery path.
• Break-glass v2 (post-MVP): Filed as #334 — contingent authorization. Two-person rule via Workspace folder permissions or AWS Identity Center with approval workflow are leading candidates.
• AWS rotation strategy: With one IAM user, the user being rotated cannot reliably rotate themselves (the running access key would be invalidated mid-rotation). Until a second rotation-user identity exists, AWS rotation is operator-assisted (manual). Rotation-user identity provisioning is a follow-up to file alongside the contingent-auth design (#334).

Cross-reference issues

• #331 — rotation UI redesign (Mode A primary, Mode B fallback, "not setup with API" state)
• #332 — contextual help rail in console (auto-render relevant SOP from this doc tree)
• #334 — contingent authorization for break-glass (post-MVP)