Skip to content

IR Brief — Fix 3: KEY_SERVER_SECRET Persistence

SURFACE: ucca-ir Worker + ucca-keys Worker + credentials file DO NOT TOUCH: any application code, frontend, CSS, D1 schema, Twilio config

Problem

KEY_SERVER_SECRET was set on both Workers during Session 3 but was not saved to the credentials file. If the secret is ever rotated or the Workers are redeployed, the value is lost. It must be persisted to ~/projects/ucca-project/.credentials/cloudflare.env.

Action — Run this exact sequence

From ~/projects/ucca-project/:

# Generate a fresh 32-byte hex secret
SECRET=$(openssl rand -hex 32)

# Set on ucca-keys Worker
echo "$SECRET" | npx wrangler secret put KEY_SERVER_SECRET --name=ucca-keys

# Set on ucca-ir Worker  
echo "$SECRET" | npx wrangler secret put KEY_SERVER_SECRET --name=ucca-ir

# Persist to credentials file
echo "KEY_SERVER_SECRET=$SECRET" >> ~/projects/ucca-project/.credentials/cloudflare.env

# Verify it was written
grep KEY_SERVER_SECRET ~/projects/ucca-project/.credentials/cloudflare.env

Important: This generates a NEW secret and sets it on both Workers simultaneously. Both Workers must always share the same value — ucca-ir signs, ucca-keys verifies. If they differ, key verification breaks for all existing ledger entries.

After running

Verify the Workers are still operating correctly: 1. Hit keys.ucca.online/verify/[any existing hash] — should return a valid key record 2. Confirm the grep output shows exactly one line with KEY_SERVER_SECRET= followed by a 64-char hex string

Note on existing ledger entries

The 2 existing ledger entries in engine-db were signed with the old secret. After rotating, those entries will fail verification at keys.ucca.online/verify/ — they'll return invalid/not-found. This is acceptable for test records. If Tim wants the test entries to remain verifiable, the alternative is to read the existing secret value from the Worker (not possible via wrangler) or skip rotation and only persist.

Recommendation: Rotate and persist. The 2 records are Tim's own test entries, not real registrants. Clean slate.

Acceptance criteria

  1. grep KEY_SERVER_SECRET ~/projects/ucca-project/.credentials/cloudflare.env returns a 64-char hex value ✓
  2. wrangler secret list --name=ucca-keys shows KEY_SERVER_SECRET
  3. wrangler secret list --name=ucca-ir shows KEY_SERVER_SECRET
  4. keys.ucca.online/verify/[new hash from a fresh test registration] resolves correctly ✓