Rotate API Key / Secret

Rotate a secret or API key across all locations in the OMI project.

Usage

/rotate-key <KEY_NAME> <NEW_VALUE>

Examples:

• /rotate-key GEMINI_API_KEY AIzaSyNewKeyHere123

• /rotate-key OPENAI_API_KEY sk-new-key-here

If no new value is provided, ask the user for it.

Rotation Checklist

For every key rotation, work through ALL of the following locations. Skip any that don't apply to the specific key.

1. Discovery — Find All Occurrences

Search the entire repo for the key name (env var references)

grep -r "<KEY_NAME>" --include=".env" --include=".yaml" --include=".yml" --include=".py" --include=".swift" --include=".rs" --include=".mjs" --include="*.dart" .

Search for the old value if known (hardcoded instances)

grep -r "<OLD_VALUE>" .

2. macOS Keychain

Check if the key is stored in the macOS Keychain and update it:

Check for existing entry (try common service name patterns)

security find-generic-password -s "<key-name-lowercase>" -w 2>/dev/null

Update: delete old, add new

security delete-generic-password -s "<key-name-lowercase>" 2>/dev/null security add-generic-password -s "<key-name-lowercase>" -a "<key-name-lowercase>" -w "<NEW_VALUE>"

3. Local .env Files

Common locations (check all that contain the key):

Location Purpose

desktop/.env

Desktop app runtime

desktop/.env.app

Desktop app bundled env

desktop/.env.app.dev

Desktop app dev env

desktop/Backend-Rust/.env

Rust backend local

desktop/build/Omi Dev.app/Contents/Resources/.env

Dev build artifact

desktop/build/Omi Beta.app/Contents/Resources/.env

Beta build artifact

backend/.env

Python backend local

app/.env

Flutter app

app/.dev.env

Flutter app dev

Update each file that contains the key

sed -i '' "s/<KEY_NAME>=.*/<KEY_NAME>=<NEW_VALUE>/" <file>

4. GCP Secret Manager

The backend and desktop-backend pull secrets via Kubernetes ExternalSecrets from GCP Secret Manager.

Prod (based-hardware)

echo -n "<NEW_VALUE>" | gcloud secrets versions add <KEY_NAME> --data-file=- --project=based-hardware

Dev (based-hardware-dev) — may need dev service account

echo -n "<NEW_VALUE>" | gcloud secrets versions add <KEY_NAME> --data-file=- --project=based-hardware-dev
--account=local-development-joan@based-hardware-dev.iam.gserviceaccount.com

Disable old versions to prevent use of leaked key

gcloud secrets versions list <KEY_NAME> --project=based-hardware --format="table(name,state)" gcloud secrets versions disable <OLD_VERSION> --secret=<KEY_NAME> --project=based-hardware gcloud secrets versions disable <OLD_VERSION> --secret=<KEY_NAME> --project=based-hardware-dev
--account=local-development-joan@based-hardware-dev.iam.gserviceaccount.com

5. Cloud Run Services (Direct Env Vars)

Some services run on Cloud Run with env vars set directly (not via K8s secrets). Check and update these:

Check current value

gcloud run services describe <SERVICE_NAME> --project=based-hardware --region=us-central1 --format=json |
python3 -c "import json,sys; [print(f"{e['name']}: ...{e.get('value','')[-4:]}") for e in json.load(sys.stdin)['spec']['template']['spec']['containers'][0].get('env',[]) if '<KEY_NAME>' in e.get('name','')]"

Update — IMPORTANT: must specify --image with a valid tag, check available tags first

gcloud container images list-tags gcr.io/based-hardware/<SERVICE_NAME> --limit=5 --sort-by=~timestamp --format="table(tags,timestamp.datetime)" gcloud run services update <SERVICE_NAME> --region=us-central1 --project=based-hardware
--image=gcr.io/based-hardware/<SERVICE_NAME>:<VALID_TAG>
--update-env-vars "<KEY_NAME>=<NEW_VALUE>"

Known Cloud Run services with direct env vars:

Service Region Key(s)

desktop-backend

us-central1 GEMINI_API_KEY , AGENT_GEMINI_API_KEY

6. Restart Kubernetes Deployments

After updating GCP secrets, restart deployments so pods pick up the new values:

Check which deployments use the key

kubectl get deployments -n prod-omi-backend

Restart relevant deployments (common ones that use env secrets)

kubectl rollout restart deployment/prod-omi-backend-listen -n prod-omi-backend kubectl rollout restart deployment/desktop-backend -n prod-omi-backend kubectl rollout restart deployment/prod-omi-pusher -n prod-omi-backend

Add others as needed based on which services use the key

7. Codemagic CI Environment Variables

Codemagic stores env vars used during mobile and desktop builds. Update via the dashboard:

App ID: 66c95e6ec76853c447b8bcbb

API approach (list vars):

export CODEMAGIC_API_TOKEN="$(grep CODEMAGIC_API_TOKEN ~/.zshrc | cut -d'"' -f2)" curl -s -H "x-auth-token: $CODEMAGIC_API_TOKEN"
"https://api.codemagic.io/apps/66c95e6ec76853c447b8bcbb" |
python3 -c " import json,sys data = json.load(sys.stdin)['application'] for v in data.get('appEnvironmentVariables',{}).get('variables',[]): if v.get('key') == '<KEY_NAME>': print(f'Found: group={v["group"]}, id={v["id"]}, secure={v.get("secure",False)}') "

Dashboard approach (if API update isn't supported):

• Navigate to https://codemagic.io/app/66c95e6ec76853c447b8bcbb/settings

• Click "Environment variables" tab

• Find the variable, click the delete (trash) button, confirm deletion

• Add new variable: enter name, value, select the correct group (usually app_env ), check "Secret", click "Add"

8. Codemagic OMI_DESKTOP_APP_ENV (Bundled Desktop .env)

The OMI_DESKTOP_APP_ENV Codemagic secret (group: desktop_secrets ) is a base64-encoded copy of desktop/.env.app that gets decoded into the .app bundle at build time. If any key inside .env.app changes, this secret must also be updated.

1. Verify desktop/.env.app has the new key value

grep "<KEY_NAME>" desktop/.env.app

2. Re-encode

base64 -i desktop/.env.app | tr -d '\n' > /tmp/omi_desktop_app_env_b64.txt

3. Update in Codemagic dashboard:

- Environment variables tab

- Delete old OMI_DESKTOP_APP_ENV (desktop_secrets group)

- Add new: name=OMI_DESKTOP_APP_ENV, value=<contents of /tmp/omi_desktop_app_env_b64.txt>,

group=desktop_secrets, Secret=checked

Keys bundled in desktop/.env.app : OMI_API_URL , DEEPGRAM_API_KEY , GEMINI_API_KEY , MIXPANEL_PROJECT_TOKEN , ANTHROPIC_API_KEY

9. Verification

After rotation, verify:

Keychain

security find-generic-password -s "<key-name-lowercase>" -w

All .env files

grep "<KEY_NAME>" desktop/.env desktop/.env.app desktop/.env.app.dev desktop/Backend-Rust/.env backend/.env 2>/dev/null

GCP Secret Manager

gcloud secrets versions list <KEY_NAME> --project=based-hardware --format="table(name,state)"

Kubernetes rollout status

kubectl rollout status deployment/prod-omi-backend-listen -n prod-omi-backend --timeout=120s

9. Remind User

After completing rotation, remind the user to:

• Revoke the old key in the provider's console (Google Cloud API Credentials, OpenAI dashboard, etc.)

• Check for unauthorized usage in the provider's usage/billing dashboard during the leak window

Key-Specific Notes

GEMINI_API_KEY

• Used by: backend (Python), desktop app (Swift via env), desktop Rust backend, Codemagic (mobile builds + desktop deploy)

• Codemagic groups: app_env (direct var) AND desktop_secrets (inside OMI_DESKTOP_APP_ENV base64 bundle)

• Keychain service: gemini-api-key

• GCP projects: based-hardware (prod), based-hardware-dev (dev)

• Cloud Run: desktop-backend (us-central1, direct env var — NOT via K8s secrets)

• K8s deployments: prod-omi-backend-listen (via ExternalSecrets)

• Helm values reference it via secretKeyRef (no hardcoded values in helm charts)

• IMPORTANT: Also update OMI_DESKTOP_APP_ENV in Codemagic (step 8) — it contains this key inside the base64-encoded .env.app

• WARNING: Never hardcode this key in any tracked file. It has been leaked twice via committed helm values.

OPENAI_API_KEY

• Used by: backend (Python), Codemagic (mobile builds)

• Codemagic group: app_env

GOOGLE_CLIENT_SECRET

• Used by: backend OAuth, Codemagic

• Codemagic group: app_env