Completed Sam's requested credential hygiene update for the Cloudflare API check. This pass updated Notion, local env-style vault mirrors, and repo documentation. No new secrets were created and no Cloudflare DNS, redirect, cache, membership, or hosting changes were made.
Disabled active CF_API_TOKEN_2 and CF_API_TOKEN_3 assignments in local env-style vault mirrors because both failed Cloudflare token verification. Added status markers: CF_API_TOKEN_2_STATUS=DEPRECATED_FAILED_VERIFY_401_2026_05_24 and CF_API_TOKEN_3_STATUS=DEPRECATED_FAILED_VERIFY_401_2026_05_24.
Confirmed after sourcing .credentials/vault.env that CF_API_TOKEN, CF_API_TOKEN_4, and CF_SF_MCP_TRY still load, and CF_API_TOKEN_2 and CF_API_TOKEN_3 no longer load as active token variables.
Updated Notion API Keys & App Secrets with a Cloudflare token status section. The failed token names are struck through there.
Updated repo docs to strike through the failed Cloudflare token names and identify current usable tokens.
Updated Skills/wp-credentials/SKILL.md to remove hardcoded WordPress/Cloudways credential values and point to vault variables instead.
Rollback backup: /Users/samaguiar/Documents/Projects/admin/rollback/cloudflare-credential-status-20260524-105532
Report: /Users/samaguiar/Documents/Codex/reports/cloudflare-account-check-2026-05-24/summary.md
QA queue: /Users/samaguiar/Documents/Codex/_qa-queue/2026-05-24.md
Touched local vault mirrors included .credentials/vault.env, .credentials/api-keys.env, Repos/.credentials/api-keys.env, and Repos/sail-seo/.credentials/api-keys.env.
Repo-side docs updated included AGENT-TOOL-MANIFEST.md, .credentials/CREDENTIAL-INDEX.md, and Skills/wp-credentials/SKILL.md.
Token verify after the update: CF_API_TOKEN passed, CF_SF_MCP_TRY passed, CF_API_TOKEN_4 passed token verification, CF_API_TOKEN_2 and CF_API_TOKEN_3 were unset or disabled.
Repo scan confirmed the previously hardcoded WordPress/Cloudways credential values are no longer present in Skills/wp-credentials/SKILL.md or AGENT-TOOL-MANIFEST.md.
Use CF_API_TOKEN or CF_SF_MCP_TRY for current Cloudflare zone, DNS, Page Rules, account, and ruleset-list reads. Do not rely on CF_API_TOKEN_2 or CF_API_TOKEN_3 unless replacement values are intentionally created and mirrored. Ruleset detail still needs a higher-scope token or dashboard inspection before www is re-proxied.