Decide blast radius:

Add an entry to ~/Sync/ED/TASKS.md Active — Security/Credentials section with the exact value so future-you knows what to rotate. Include the consumer map (where the credential is used).

Example (this happened on 2026-05-25 with the *arr keys):

- [ ] **Rotate Sonarr/Radarr/Lidarr API keys** — they were hardcoded in
  ~/Sync/ED/skills/arr-media-management/SKILL.md (Syncthing-replicated).
  Old values: d792444549..., b117993eb50..., 3dc17d20ca664...
  Consumers: Prowlarr (settings → apps), Recyclarr (yaml), homelab-config (none — extracts at runtime via arr-briefing-data.py)

Service-specific procedures live in dedicated runbooks where they’re complicated:

• Rotate *arr API keys
• Anthropic API key (the “Fix” section of doc-sync auth-fail is also a rotation procedure)

For simple cases: log in to the service, generate a new credential, save the new value to ~/Sync/ED/SECRETS.md, update consumers, test.

For containerized services: docker restart <name> after env var update. For Mac launchd: kickstart the job. For Claude Desktop: full quit + relaunch.

If the leak was into a git repo:

# Find every commit containing the value
git -C ~/Sync/ED log -p --all -S 'leaked-value-here' | head -30

# Remove from history (heavy — use only when necessary, force-pushes break clones)
# Prefer rotating + accepting that the historical value is exposed but inert.

For the homelab-config repo (private but synced), rotating the underlying credential is usually enough — historical exposure of a now-invalid key is not a real risk.

Once consumers are updated and the new credential works:

• Remove the rotation entry from TASKS.md
• Update SECRETS.md with the new value + last-rotated date
• If the leak was a class of mistake (hardcoded in a SKILL, committed in a config), add a defense:
  • Pre-commit hook to scan for sk-, <ApiKey>, etc.
  • Bundle behavioral rule against the pattern
  • Linter for the file type