Credential Inventory¶
Updated: 2026-04-12 Values are intentionally omitted. This page inventories names, storage locations, and consumers only.
| Credential / secret | Storage location | Containers / consumers | Rotation policy |
|---|---|---|---|
TS_OAUTH_CLIENT_ID + TS_OAUTH_SECRET |
GitHub Actions secrets | deploy-*, lt-rust-cutover-gate.yml via Tailscale setup; none (workflow-only) |
Manual when Tailscale OAuth client is rotated; no repo-local policy documented. |
SYNOLOGY_SSH_KEY |
GitHub Actions secret | Synology deploy / verify workflows; none (workflow-only) |
Manual key rotation on Synology / GitHub side; no automated cadence documented. |
CLOUDFLARE_API_TOKEN |
GitHub Actions secret | deploy-docs-cfp.yml; none (workflow-only) |
Manual when Cloudflare token is rotated or scope changes. |
CLOUDFLARE_ACCOUNT_ID |
GitHub Actions secret | deploy-docs-cfp.yml, cf-guest-manage.yml; none (workflow-only) |
Static identifier; rotate only if account changes. |
CF_ACCESS_TOKEN |
GitHub Actions secret | cf-guest-manage.yml; none (workflow-only) |
Manual when Cloudflare Access API token is rotated. |
POLYGON_API_KEY |
Synology /volume1/aegis/.env and /volume1/aegis/repo/aegis_v3/pt-docker/.env |
aegis-wft, aegis-quote-collector, aegis-lt-quote-collector, aegis-lt-scan-cycle, aegis-lt-ldas-*, aegis-polygon-quotes |
Manual provider rotation; workflows validate presence before deploy. |
SAXOBANK_APP_KEY_LIVE + SAXOBANK_APP_SECRET_LIVE |
Synology /volume1/aegis/.env and /volume1/aegis/repo/aegis_v3/pt-docker/.env |
aegis-token-keeper-live, aegis-wft, aegis-quote-collector, aegis-lt-token-keeper, aegis-lt-quote-collector |
Manual when Saxo app credentials rotate; no automated cadence documented. |
SAXOBANK_ACCOUNT_KEY_LIVE + SAXOBANK_ACCOUNT_ID_LIVE |
Synology pt-docker/.env (plus legacy passthrough in some compose files) |
Python PT stack (aegis-wft, aegis-quote-collector) and legacy lt-rust env passthrough |
Manual only when broker account context changes. |
Saxo live token cache (saxobank_tokens_live.json, saxobank_tokens_live_rust.json) |
Synology /volume1/aegis/tokens/ |
aegis-token-keeper-live, aegis-lt-token-keeper, aegis-lt-quote-collector, aegis-lt-scan-cycle, aegis-lt-rust |
Automatically refreshed by token-keeper daemons; file path itself is stable. |
IBKR_PAPER_USERNAME + IBKR_PAPER_PASSWORD |
Current: Synology /volume1/aegis/repo/aegis_v3/pt-docker/.env.Deferred Fargate scaffold: AWS Secrets Manager aegis/ibkr/paper/username, aegis/ibkr/paper/password |
aegis-lt-ibkr-gateway |
Manual on IBKR paper password reset / account change. |
IBKR_TOTP_SECRET |
User-held today; planned AWS Secrets Manager for live IBeam lane | Future live IBKR gateway only; paper Synology lane does not currently consume it | Manual rotation whenever IBKR 2FA is reset / reprovisioned. |
UNUSUAL_WHALES_API_TOKEN |
Synology .env / LDAS runtime env |
aegis-ldas and related UW flow collectors; legacy Python PT surfaces |
Manual provider rotation; Rust lt-ldas docs mark it optional / currently unused. |
FRED_API_KEY |
Synology .env / pt-docker/.env |
aegis-ldas, aegis-wft, dashboard market/trading services, historical VIX fallback code |
Manual provider rotation; no automated cadence documented. |
TWILIO_ACCOUNT_SID + TWILIO_AUTH_TOKEN + TWILIO_FROM_NUMBER + TWILIO_TO_NUMBER |
Synology /volume1/aegis/.env |
aegis-monitor and Twilio helper scripts |
Manual when Twilio credentials or destination numbers rotate. |
TUNNEL_TOKEN |
Synology /volume1/aegis/.env |
Cloudflare tunnel / external access path (cloudflared runtime) |
Manual when the tunnel token is regenerated. |
Notes¶
- Current secret storage is split between central Synology
.env,pt-docker/.env, GitHub Actions secrets, and deferred AWS Secrets Manager scaffolds. - The biggest runtime secret with automatic rotation is the Saxo token cache; most others are operator-managed and should be treated as manual rotation items until a stricter policy is documented.
- IBKR paper credentials are now part of the inventory even though the long-term live lane is expected to move toward Secrets Manager-backed storage.