Security Audit — 2026-06-01 (honest, calibrated)
Sam asked: am I secure? can anyone access portal/wifi/computer? could a hacker wipe/steal/encrypt everything? Answer: architecture is RIGHT (secrets vaulted, portal gated); breaks are last-mile convenience shortcuts. Portal is NOT open. The one real internet→house bridge is the cameras.
Direct answers
- Portal access: NO — Cloudflare Access (Google login, Sam-only). Locked. ✅
- Wi-Fi → computer → ransomware: not via the portal. The ONE real bridge = the Hikvision NVR exposed to internet. Harden it.
- Bank drain: NO — Plaid is read-only; can't move money even if token leaks.
RANKED RISKS + fix + owner
- 🔴 OpenAI key in plaintext
hookstreet-ops-api.txt+ Stitch keystitch-api-key.txt(gitignored, but readable on disk). FIX: rotate both (5 min, SAM at platform.openai.com + Stitch console), move to Worker secrets, delete the .txt. → worst case = someone runs up the bill. - 🔴 OPS_READ_TOKEN hardcoded in committed home.html/home-cockpit/link.html (
opskey_da23...). Repo private so not live-breached, but in git history forever + grants read of Plaid balances. FIX: rotate OPS_READ_TOKEN in Worker, remove from HTML (fetch server-side post-CF-Access). → CLAUDE can do the code side; SAM rotates. - 🎥 Hikvision NVR exposed to internet (d6468120.eero.online:8500/8501, user admin). Hikvision NVRs = top global botnet/hack target; weak pw → kids'-room access + foothold onto home LAN → the real path to the computer. FIX (SAM, before relying on it): change admin pw to 16+ random, change web port off 8500, enable HTTPS, lockout on failed logins; BEST = put behind Cloudflare Tunnel (no raw port-forward) — CLAUDE can plan the tunnel.
- 🟡 Schwab/Finnhub keys plaintext in MIS sheet CONTROL tab (not in git; visible to sheet viewers). FIX: rotate + move to PropertiesService (SAM + CLAUDE).
- 🟡 Financial data in committed outputs/*.html (account last-4s, balances). Fine WHILE repo private; redact or gitignore if ever public. Verify repo is private.
- 🟡 LevSMS Apps Script Web App "Anyone" + Twilio webhook. FIX: monitor webhook, consider tightening.
FINE (don't fear these)
Portal gated ✅ · Plaid tokens server-side in KV ✅ · inbox/telegram/twilio secrets in Script Properties ✅ · MIS code clean ✅ · computer not directly exposed ✅
Priority order
SAM 5-min: rotate OpenAI + Stitch keys, delete the 2 .txt files.
SAM before trusting cameras: change NVR admin password (THE important one).
CLAUDE: rotate+remove OPS_READ_TOKEN from HTML; plan Cloudflare Tunnel for cameras (kills the port-forward exposure).
SOON: Schwab keys → PropertiesService; confirm repo private.