> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Database password rotation (operator)

> If a Postgres password or connection string was exposed (chat, logs, CI output), rotate it immediately.

If a Postgres password or connection string was exposed (chat, logs, CI output), rotate it immediately.

## Dev (`Encore OS` — project ref `anuwknikgsijbameytzr`)

1. Supabase Dashboard → **Project Settings** → **Database** → **Database password** → **Reset database password**.
2. Update local secrets only in **`.env.local`** (gitignored):
   * `SUPABASE_DEV_DB_URL` (use **Session pooler** URI; see [SUPABASE\_MULTI\_ENV\_SETUP.md](/development/supabase/SUPABASE_MULTI_ENV_SETUP) § Database connections).
   * `SUPABASE_SERVICE_ROLE_KEY` if you store it for REST-based seed extraction.
3. Update any CI/GitHub Actions secrets that referenced the old password.
4. Do **not** commit passwords or pooler URIs to `.env` (tracked). Prefer `.env.local`.

## Production (`encore_os_prod` — project ref `aximlomrwfuhctxjhrsf`)

Same steps on the production project. Coordinate a short maintenance window if clients use the DB password directly (they should use the pooler + app secrets instead).

## Verification

After rotation, from repo root:

```powershell theme={null}
node --env-file=.env.local --import tsx scripts/migration/extract-system-defaults.ts --dry-run
```

Expect a summary table with non-zero row counts for each catalog table.
