Rotating password_seed

When: Database passwords may have been exposed.

Impact: All derived passwords change. Databases will reject connections until updated.

Caution

This is disruptive. All apps will lose database connectivity until passwords are updated. Consider whether the threat warrants downtime.

Steps

1. Stop all apps:

   docker stop $(docker ps -q --filter label=holden.managed=true)

2. Update each database password manually:

   PostgreSQL:

   docker exec -it myapp-needs-postgres psql -U postgres -c \
     "ALTER USER myapp PASSWORD 'new-password';"

   Valkey:

   docker exec -it myapp-needs-valkey valkey-cli CONFIG SET requirepass "new-password"

3. Generate a new seed:

   openssl rand -hex 32 > /data/password_seed

4. Restart Holden:

   docker restart holden

Apps will reconnect with the new derived passwords.