בס״ד

Security Audit — 2026-06-01 (honest, calibrated)

docs/SECURITY_AUDIT_2026-06-01.md · last changed (pre-VM history) · rendered from GitHub master

Security Audit — 2026-06-01 (honest, calibrated)

Sam asked: am I secure? can anyone access portal/wifi/computer? could a hacker wipe/steal/encrypt everything? Answer: architecture is RIGHT (secrets vaulted, portal gated); breaks are last-mile convenience shortcuts. Portal is NOT open. The one real internet→house bridge is the cameras.

Direct answers

RANKED RISKS + fix + owner

  1. 🔴 OpenAI key in plaintext hookstreet-ops-api.txt + Stitch key stitch-api-key.txt (gitignored, but readable on disk). FIX: rotate both (5 min, SAM at platform.openai.com + Stitch console), move to Worker secrets, delete the .txt. → worst case = someone runs up the bill.
  2. 🔴 OPS_READ_TOKEN hardcoded in committed home.html/home-cockpit/link.html (opskey_da23...). Repo private so not live-breached, but in git history forever + grants read of Plaid balances. FIX: rotate OPS_READ_TOKEN in Worker, remove from HTML (fetch server-side post-CF-Access). → CLAUDE can do the code side; SAM rotates.
  3. 🎥 Hikvision NVR exposed to internet (d6468120.eero.online:8500/8501, user admin). Hikvision NVRs = top global botnet/hack target; weak pw → kids'-room access + foothold onto home LAN → the real path to the computer. FIX (SAM, before relying on it): change admin pw to 16+ random, change web port off 8500, enable HTTPS, lockout on failed logins; BEST = put behind Cloudflare Tunnel (no raw port-forward) — CLAUDE can plan the tunnel.
  4. 🟡 Schwab/Finnhub keys plaintext in MIS sheet CONTROL tab (not in git; visible to sheet viewers). FIX: rotate + move to PropertiesService (SAM + CLAUDE).
  5. 🟡 Financial data in committed outputs/*.html (account last-4s, balances). Fine WHILE repo private; redact or gitignore if ever public. Verify repo is private.
  6. 🟡 LevSMS Apps Script Web App "Anyone" + Twilio webhook. FIX: monitor webhook, consider tightening.

FINE (don't fear these)

Portal gated ✅ · Plaid tokens server-side in KV ✅ · inbox/telegram/twilio secrets in Script Properties ✅ · MIS code clean ✅ · computer not directly exposed ✅

Priority order

SAM 5-min: rotate OpenAI + Stitch keys, delete the 2 .txt files.
SAM before trusting cameras: change NVR admin password (THE important one).
CLAUDE: rotate+remove OPS_READ_TOKEN from HTML; plan Cloudflare Tunnel for cameras (kills the port-forward exposure).
SOON: Schwab keys → PropertiesService; confirm repo private.

Source trail · docs/SECURITY_AUDIT_2026-06-01.md @ master · rendered 2026-07-02 7:23 PM EDT by scripts/build-docs.py · the .md in the repo is the truth; this page is the phone-readable view