From 7a1090795c3201a0612c447f6592fe79ff0faaf9 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 15 Mar 2026 18:21:46 +0000
Subject: [PATCH] rotate leaked MEMORY_API_KEY: use wrapper script instead of
 plaintext env vars

- Remove MEMORY_API_KEY and CLAUDE_MEMORY_API_KEY from settings.json env block
- Replace mcp.json inline config with wrapper script that sources GPG-encrypted secrets
- Add new rotated key to encrypted secrets.zsh
---
 dot_claude/settings.json                      |  4 --
 .../bin/executable_claude-memory-mcp-wrapper  |  7 ++++
 dot_mcp.json                                  |  8 +---
 .../custom/encrypted_secrets.zsh.asc          | 42 ++++++++++---------
 4 files changed, 30 insertions(+), 31 deletions(-)
 create mode 100644 dot_local/bin/executable_claude-memory-mcp-wrapper

diff --git a/dot_claude/settings.json b/dot_claude/settings.json
index c35570e..0e5fda9 100644
--- a/dot_claude/settings.json
+++ b/dot_claude/settings.json
@@ -1,11 +1,7 @@
 {
   "env": {
     "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS": "1",
-    "CLAUDE_MEMORY_API_KEY": "REDACTED_ROTATED_KEY",
-    "CLAUDE_MEMORY_API_URL": "https://claude-memory.viktorbarzin.me",
     "DISABLE_AUTOUPDATER": "1",
-    "MEMORY_API_KEY": "REDACTED_ROTATED_KEY",
-    "MEMORY_API_URL": "https://claude-memory.viktorbarzin.me",
     "STATUSLINE_DISABLE_BRANCH": "1",
     "STATUSLINE_DISABLE_CALENDAR": "1",
     "STATUSLINE_DISABLE_DIRECTORY": "1",
diff --git a/dot_local/bin/executable_claude-memory-mcp-wrapper b/dot_local/bin/executable_claude-memory-mcp-wrapper
new file mode 100644
index 0000000..6d6718c
--- /dev/null
+++ b/dot_local/bin/executable_claude-memory-mcp-wrapper
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Wrapper for claude-memory MCP server that sources secrets from GPG-encrypted file.
+# This avoids committing API keys in plaintext JSON configs.
+source ~/.oh-my-zsh/custom/secrets.zsh 2>/dev/null
+export MEMORY_API_URL="${MEMORY_API_URL:-https://claude-memory.viktorbarzin.me}"
+export PYTHONPATH="/Users/viktorbarzin/code/claude-memory-mcp/src"
+exec python3 /Users/viktorbarzin/code/claude-memory-mcp/src/claude_memory/mcp_server.py "$@"
diff --git a/dot_mcp.json b/dot_mcp.json
index 828f1b2..7474976 100644
--- a/dot_mcp.json
+++ b/dot_mcp.json
@@ -2,13 +2,7 @@
   "mcpServers": {
     "claude_memory": {
       "type": "stdio",
-      "command": "python3",
-      "args": ["/Users/viktorbarzin/code/claude-memory-mcp/src/claude_memory/mcp_server.py"],
-      "env": {
-        "MEMORY_API_URL": "https://claude-memory.viktorbarzin.me",
-        "MEMORY_API_KEY": "REDACTED_ROTATED_KEY",
-        "PYTHONPATH": "/Users/viktorbarzin/code/claude-memory-mcp/src"
-      }
+      "command": "/Users/viktorbarzin/.local/bin/claude-memory-mcp-wrapper"
     }
   }
 }
diff --git a/dot_oh-my-zsh/custom/encrypted_secrets.zsh.asc b/dot_oh-my-zsh/custom/encrypted_secrets.zsh.asc
index 02d7345..0ec9684 100644
--- a/dot_oh-my-zsh/custom/encrypted_secrets.zsh.asc
+++ b/dot_oh-my-zsh/custom/encrypted_secrets.zsh.asc
@@ -1,23 +1,25 @@
 -----BEGIN PGP MESSAGE-----
 
-hQEMA2I9C9ArYorXAQgA3F+sveuqsPWAfGv8GauznArr3qcWU9pYFHMsxRyqaOU4
-MhTIaZuGnw5JXJWKs1BaLNr54ZqnqyReMTiys14ub2FUoVrMLFZEuR2Om+VFTkca
-xVJiNjpbiSaBF/W4Ct0BxwMbX6P9ZXkyBd0y95j3kHizPTdz1srpd7NQvjP3L9nd
-E3MTjhx7UsqwV9o9ytELoMLPXGe+KZ+O1/QVTJ9BpjQY/0f1/BgE4vVpYij6V83u
-Qey+Ef7VUjuE7cCRTEnHnw/x+OGUN6avaVAk9E3QTmm3rVTgBcGeIdI7We4BgaoS
-dd5ixHOkfxellIDRfxFOnKQWJapmmNwzrMaV7ge8htLpAfdJY9KS17CCOGVnWZ+B
-7iWJwormgUx2S0Rv7pmHCy6vAzR0UP27ArO8u3fxJPRNEuQ4AnBfr/niOrscpKzi
-8/wkSf9ouTAJag1vO59zkACA5tRedRz+LOKXrVwRlPuv/BlsaDVotJ5HbSceG7Bs
-zjxy+bFPwdv9c2Ycq5ZMSEjvQdYV5nYfMTkcJ+0sg5ZwU8Ft5l7tRwCfLsxB2+c1
-dAcANRD2zi9aaMgPeQQY3L4BbG62x+gu/nVN7V+R6UfgcZ898nJAdgdyuW01sidD
-aQyljm0OX1adAFupQPzL7VajG4C16jCFlumj37Zx3meNTMlNF0SZeUwTFJ6eGX9A
-K1Z6GbDtwcM4msDXupiKzjiYI78C2wGToLzLwfxnKJgjbFe/bWFXeWKFvT2K8KK3
-YWrRtxKpUaaomw2xo2Sjf4vYvTA75+ifs2GCxdCawTmdGghnO3lI0tuBrSvYGchf
-lzLEgiLCuBq5qR7YjbrIrbMqvbMcm5k/8qMINfiDNtgUIfBWJ8HnvxNUx65a9cxQ
-FPSJsXguE0kGy2cqIi3vD5z+75Nur/CgHvBqFGmvgJTQKn4Z5MiS2SEoyh66JQxg
-fL5uFzFIApORdi8WsgKr9MtnkGktiWM3PWr5z4WirKwjqNeWauT+qU/Vd9d7dUnM
-d/z3d+r4InFk4DZrwjyiV4NtvXsjI1DeLKZjm9nDYYylei/89vpIhna0MJ98BklD
-rZHKYqFsj6SVvvCwFZ/dZIbos00f3cuqtA+7EvH/djLTcpWMnz4Whp0RfsaQxC2W
-lSH9gEPYhe7/OYdtu+a1vjhVVvAt9rUTNR2bdMnHbA==
-=jnXc
+hQEMA2I9C9ArYorXAQf+P3ToI0Ib8Pf9DHGfGUuNoKdz/41FQyKRywk+0zwwAo/j
++HxHxuHwMyo1W3yDG1/hReJImPbFt/3f7spVaRW9kGv+w/MGKopnhWOeOJdQBGGV
+Q5pXuEiSelyUfi0u6/XQYqFjLmYv0nR8k3GZN0Fh4XF0xpXJQdez1ml/Vh6R33Mz
+2xqgbSX6fQzUBYMKEKyVJx/ypFMkKEdhkqpFT+jjDL7IVbF9foew50u2w36PCn6j
+01rRmPiF4bBJsK6jx6sRe96e/iTLH27QnFKhcVX3vuW/Ypwg0BGd28+pso195BrI
+YuTAbkYSlXizJJ2goCZVD1OkX0oBC3HuWG7L+PJt19LpAbAy19fDlN+RawzrOfXd
+iBroiUbkM8uWuxHzPN/6OIByWlC1H0EjMh9cYbk/fvepNnm7n622knTEdNCh6mXh
+36sR+Rw3dQOS0W2//lPdyCDGhaq4vAteZE9p4OXfv1NDgeo0CMLCZVPAB/V9zTWm
+dJBJPPtaAJ+/2vw87nDDSwJHW1Dd1WS1jpMAH6igh5YzAjlakwUXgeMunkvWnbAK
+lDTJ5l9UY5XqiOhvXwQZiXq+VN4SJneTHW7+qJ3oh5N2o2LpQZxeCxD+lzt3IQun
+bpFif8jTf/atGCFPOemzwp2jAreT+ish7LUK8elCItaYQxHISidsdZ5VfjF4Vasl
+XGoFjCLEbG2LiE74opMFSRXHXmDyawvZA+1Ck9jVaN2U0YtcAaPhXD4toEGbWNSg
+zKPkwPtRu2xBQCZZGE4dhlC+N7f8+rCftCsdaPYaR7Tw+DhFHPuEcrSMNNgc8PDB
+TXsbPbQWTrHjQas9NfQQd2l/wt4TQ6EwAWwcbw5zFL5h9Se3LIH5bR2auiqYJFPz
+FNOBtsA4YIV3sieoAM7CRhebzhgXlrflCbOf2954GXS/BLaodY4etUs+6jP5l4fE
+S8hOYFDMEyvXWFKA9vjL/hoG1Wa9qVg2ayGiRzC0GQLtKIQitAPgRxz5ueV94kAV
+vwvE+O7Bxa6gyFE7MfDkFpq/cPCOyAKC3hEO6uWiK27kXSvShma2uX5QYOxYItOG
+P3XaSrmUNMjGdu2THjFB4jegRBMQy7A/o4SDIokJ/e9qadm/tTnODiULVj/JQ9vp
+1gbS3hUNo/arW1/hIeaWYyV6fJU6sxTIa37jNlInnBfwW1jcISryUesFQzkzvrh/
+qsa8gUX4ScZ6EUQQe94sMm6BGy2bSX+u3P6plbxaKcvvPyy5bxau3uRkCi+i7osP
+iec1VFrv1G6odgDboNJinG4=
+=rr5f
 -----END PGP MESSAGE-----