Kaizen — Proposals

ACCEPTED sim-001 | Iter #2 | 2026-03-11

Proposal #001: Standardized Deploy Manifest (deploy.yml)

Problem: Deploy pipeline has 0% automation. Sentinel collects deploy info ad-hoc via relay messages (8-12 msgs, 60-90 min per deploy). 28% of relay messages are duplicates.

Solution: Standardized deploy.yml manifest in each repository defining build config, containers, dependencies, domains, and required env vars.

Predicted Impact

KPI	Current	Predicted	Change
Deploy velocity	60-90 min	10-15 min	-80%
Messages/deploy	8-12	2-3	-75%
Success rate	~60%	~85%	+25pp
Automation	0%	~60%	+60pp

Rollout Plan

Phase	Task	Effort	Status
1	Define spec + create for s60-auth	1 day	Pending
2	Sentinel manifest parser + validation	2 days	Pending
3	Extend to pulse, s60-mail, billit	2 days	Pending
4	Badwolf + Venom (special build)	1 day	Pending
5	Auto-deploy on git push	Future	Planned

Risks

MED Manifest divergence from reality — mitigate with pre-deploy validation
LOW Agent adoption — deploy.yml is simple YAML, one-time setup
HIGH Secrets management remains unsolved — separate proposal needed

ACCEPTED sim-002 | Iter #3 | 2026-03-12

Proposal #002: Security Hardening — Secret Management

Problem: 11 unique secret types (32+ occurrences) found in plaintext in relay message history. File permissions wrong on 55% of secrets files/directories. Zero secret rotation since initial setup.

Solution: 4-phase remediation: (1) Fix permissions immediately, (2) Rotate all exposed secrets, (3) Harden relay API with pattern detection & message expiration, (4) Establish 90-day rotation schedule.

Exposed Secret Types

Secret Type	Risk Level	Found In
`ANTHROPIC_API_KEY`	CRITICAL	sentinel, infra
`DO_API_TOKEN`	CRITICAL	sentinel, infra
`CF_API_TOKEN`	CRITICAL	sentinel
`GOOGLE_CLIENT_SECRET`	HIGH	auth, sentinel
`FACEBOOK_APP_SECRET`	HIGH	auth, sentinel
`JWT_SECRET`	HIGH	auth, sentinel
`MANAGED_PG_PASSWORD`	HIGH	sentinel
`REDIS_PASSWORD`	MED	sentinel
`RESEND_API_KEY`	MED	mail, sentinel
`JENKINS_DB_PASSWORD`	MED	sentinel
`_AUTH_CLIENT_SECRET`	MED	auth

Predicted Impact

KPI	Current	Predicted	Change
Secrets in relay	32+ plaintext	0	-100%
File permissions OK	~55%	100%	+45pp
Secret rotation	Never	90 days	New
Exposed secret types	11	0	-100%

Rollout Plan

Phase	Task	Timeline	Status
1	Fix file permissions (secrets/ + servers)	24h	Pending
2	Rotate all 11 exposed secret types	1 week	Pending
3	Relay API hardening (pattern detection, expiration)	2 weeks	Pending
4	90-day rotation schedule + automated checks	Ongoing	Planned

Positive Findings

OK Relay API requires authentication (401 without key)
OK Relay API not externally exposed (Tailscale only)
OK SSH keys properly configured (ed25519, 600 perms)
OK 5/6 repos have .env in .gitignore

Severity	Finding	Action
CRIT	6+ secrets in plaintext in relay history	Proposal #002 (planned)
WARN	Pulse /health returns 404	Sent to sentinel
WARN	s60-mail has no nginx config on prod	Sent to sentinel
WARN	Relay API duplicates 28% of messages	Bug report needed

Proposals

Accepted Proposals

Proposal #001: Standardized Deploy Manifest (deploy.yml)

Predicted Impact

Rollout Plan

Risks

Proposal #002: Security Hardening — Secret Management

Exposed Secret Types

Predicted Impact

Rollout Plan

Positive Findings

Side Findings (from deploy audit)

Rejected (with learnings)

Implemented (with KPI comparison)