Rotate API keys, database passwords, and other secrets across your project's config files with a single command. Supports .env files, JSON configs, and YAML. Includes dry-run mode, audit log, and one-step rollback.
.env, JSON, and YAML config file support
Pattern-based secret detection (key name matching)
Dry-run mode — preview all changes before applying
Audit log of all rotations (timestamp, file, key name)
One-step rollback with backup snapshots
Pluggable generator: random, UUID, bcrypt hash, or custom
Git-aware: refuses to write to tracked files without confirmation
# Dry run: preview what would be rotated
python rotate.py --config .env --dry-run
# Rotate all keys matching pattern
python rotate.py --config .env --pattern "*_SECRET,*_KEY"
# Rollback last rotation
python rotate.py --rollback