Path7 Stack Audit

2026-05-10 · scott@path7.co · v0.1 inaugural

Headline findings

Keystone identity unhardened. scott@path7.co Google account has 0 security keys; 2 unused YubiKeys sitting on the desk.
Shopify account is the weakest link. No password ever set, no 2SV, no secondary email — protected only by a single synced passkey tied to the Google account.
All app eggs in Vercel basket. 6+ live properties, all under one team. No DR plan, no second host pre-flighted.
No vault for stack metadata. live-apps.md is informal — needs structured registry to feed audits like this one without manual recall.
IP layer in good shape. path7-toolkit is centralized; clients consume via editable install. No fork sprawl.

1. Identity & AccessAction needed

Tonight's blindspot. Two YubiKey 5 NFCs (serial 23010879 + a sibling somewhere) bought 2026-04-05, never enrolled meaningfully. Sites you actually use as a CGO depend on a single recovery path.

Service	Password	2FA	HW key	Status
Google scott@path7.co	—	Prompt + TOTP + SMS	—	Soft
Google scott.scherp@gmail.com	—	—	—	Unknown
Shopify (scott.scherp)	Never set	Off	—	Weak
1Password	Master	?	—	Verify
GitHub (scottscherp)	?	?	—	Verify
Vercel	—	?	—	Verify
Cloudflare	—	—	—	No account
Linear	—	?	—	Implementing

Next:

Find YubiKey #2 (Amazon AU shipment 2026-04-08 — 2 units).
ykman fido reset both, set memorable PINs, store in 1P.
Enroll both on scott@path7.co. Enable Google Advanced Protection.
Add to 1Password 2FA, GitHub, Vercel, future Cloudflare.
Stash key #2 off-site (parents', deposit box, not same drawer as #1).
Set Shopify password, secondary email, 2SV — full belt & braces.

2. Hosting / VercelConcentrated

Single team owns everything. No multi-region failover; if Vercel has a billing issue, 6+ properties go dark simultaneously. Acceptable for current scale, problematic at Operator Hub stage.

App	Domain	Tier	$/mo
Path7 Labs landing	landing.path7labs.com	Hobby	$0
Tactics PDP preview	tactics.path7labs.com	Hobby	$0
Augusta Pots prototype	augustapots.path7labs.com	Hobby	$0
Phoenix United mockup	pu.path7labs.com	Hobby	$0
Shopify token guide	shopify-token-guide.path7labs.com	Hobby	$0
Operator Hub (planned)	dash.path7labs.com	—	$0
Toggle dashboard (paused)	—	Hobby	$0
This audit	(deploy after)	Hobby	$0

Pro tipping point: ~100GB bandwidth/mo OR commercial use → mandatory upgrade
Pro cost: $20/seat/mo
Hobby commercial-use risk: Strict reading: client-billing work on Hobby is a TOS violation. Not enforced today, but flagged for awareness.

Next: Continue Hobby until commercial use becomes load-bearing. Pre-flight migration story for one app to alternate host (Cloudflare Pages, Netlify, or self-host) to validate not-locked-in.

3. Commerce / ShopifyOperational

Largest line-item by far. Mix of Plus, Standard, and dev stores across client engagements + own.

Store	Status	Plan	$/mo
Lakai (lakailtd)	Production	Plus	~$2,300
Lakai Europe	Production (Arnau)	?	?
Tactics	Active build	Standard?	$79
Eastern Skateboard	Scoping	—	$0
Augusta Pots	Prototype	Dev	$0
Phoenix United	Build	Dev	$0
Scherp dev store	Dev	Dev	$0
Scherp prod store	Prod	Standard?	$79?

Lakai Plus is client-billed; only Scherp's own store is on you directly. Most dev stores are free during build phase.

Next: Confirm which Shopify charges hit your card vs the client's. The "scott.scherp@gmail.com" account that appears as collaborator on multiple stores is a unification risk if compromised.

4. Communications / MarketingMixed

Service	Used by	$/mo
Klaviyo	Lakai (active sends), Tactics (planned IG pipeline)	Client-billed
Google Workspace	path7.co	$6–$12
Asana	Tactics IG workflow (Kamden manual)	?
Linear	Implementing now	$0 free tier
Notion / Obsidian	None — _brain is filesystem markdown	$0

Next: Tactics IG → Klaviyo auto-pipeline (memory-flagged HIGH priority). Replaces Asana ceremony. Saves Kamden time + reduces a SaaS dependency.

5. Local Rig & AIRight-sized

GPU: RTX 5060 8GB (constrains local LLM to ~7B)
Local LLM: Ollama / qwen2.5:7b — fallback only
Frontier engine: Claude (Opus 4.7 / Sonnet 4.6) — heavy lifting
Live voice loop: Planned, not built. Needs Cloudflare Tunnel for remote use.
Plaud pipeline: Planned. Voice-to-vault async.
Litigation isolation: Open question — separate machine? RTX 5090 doubles as 70B model + isolation.

Next: Decide on litigation isolation before any privileged content touches the agent stack. RTX 5090 path is the cleanest if budget allows — single justified upgrade.

6. Cost SnapshotLean

Bucket	$/mo (est)
Vercel (all hobby)	$0
Cloudflare	$0 (no account)
Google Workspace (path7.co)	$6–$12
Shopify (own + client passthrough excluded)	$0–$79
1Password	$3–$8
Linear	$0 (free tier)
Anthropic / Claude	$$$ (variable)
Domain renewals	~$3/mo amortized
Direct ops total	~$15–$110/mo

Anthropic spend is the line that grows. Track it monthly. When it crosses ~$200/mo sustained, start looking at where local 7B can absorb fallback work.

7. Risk RegisterReview monthly

Risk	Severity	Mitigation
Google account compromise	High	YubiKeys + Advanced Protection
Shopify account compromise	High	Set password + 2SV today
Single Vercel team for all client work	Med	Pre-flight DR; possibly separate teams per client
Local rig theft / SSD failure	Med	vault on cloud sync; client repos on GitHub
Privileged content leak via agent	High	Litigation isolation decision pending
YubiKey #2 lost before enrollment	Med	Locate before reset/enroll
Single Klaviyo / Asana / etc operator (Kamden, Arnau)	Med	Workflow docs in vault, not in any single head

8. Recommended Sequence (next 7 days)Prioritized

Tonight: Find YubiKey #2. Reset both. Choose PIN. Save in 1P.
Tomorrow AM: Enroll both on scott@path7.co. Turn on Google Advanced Protection.
Tomorrow PM: Add password + 2SV + secondary email to Shopify scott.scherp account.
Day 3: Add YubiKeys to 1Password 2FA + GitHub. Verify Vercel 2FA setup.
Day 4: Stand up structured registry: _brain/90-System/apps/ + services/ with frontmatter. Migrate live-apps.md content.
Day 5: Sign up for Cloudflare. Enroll YubiKeys. Stand up Tunnel + Access for one preview as proof.
Day 6: Stash YubiKey #2 off-site.
Day 7: Re-run this audit. Compare deltas.

9. Audit metadataVersioning

Version: 0.1
Generated: 2026-05-10 by Claude (Opus 4.7) from vault context + live YubiKey state
Inputs: _brain/90-System/live-apps.md, MEMORY.md, Gmail search (scott.scherp@gmail.com), ykman info, user statements in session
Blindspots: scott@path7.co Gmail not connected to MCP — can't see security alerts on keystone identity directly. YubiKey #2 location unknown. 1Password / Vercel / GitHub 2FA states not directly verified.
Next audit: Re-run after Day 7 sequence above. Track YubiKey enrollment delta and Shopify hardening delta.

This is v0.1 — inaugural. Future versions should pull from a structured registry (apps/services frontmatter) not human recall, and cross-check 2FA state via APIs where possible.