rotate-api-keys

The procedure is functionally straightforward and implements a powerful local find-and-replace for credential rotation. It is not inherently malicious (no network exfiltration or obfuscation), but it has significant operational risk: broad defaults, lack of per-file verification or dry-run, plaintext handling of secrets (including backups and console output), and the potential for abuse if inputs are attacker-controlled. Treat this tool as high-impact: require explicit, limited target paths, implement dry-run and per-file confirmations, ensure inputs are safely quoted/escaped, avoid modifying logs by default, and securely manage or purge backups containing old keys.