keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_blocks/domain-has-secrets.md
denis 0b901cf2f9 feat: KeiSeiKit v0.1.0 — initial public release 
Generic Constructor-Pattern agent kit for Claude Code. Zero personal data,
fully English, MIT-licensed.

Contents:
- 34 reusable blocks (baseline, rules, stack/deploy/domain/api/scraper)
- 14 cross-project agent manifests (code/ml/infra/researcher/critic/...)
- 6 portable skills (/new-agent, /research, /test-gen, /debug-deep, /pr-review, /refactor)
- Rust assembler (single binary, ~500 KB)
- 3 hooks (auto-reassemble, pre-commit validate, no-hand-edit)
- install.sh (idempotent, cargo-builds on first run)
- MIT LICENSE

All 6 sanity greps pass: 0 Russian text, 0 specific project names,
0 incident numbers, 0 user paths, 0 hardcoded IPs, 0 API keys.

cargo check + assemble --validate: both pass on 14 manifests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 23:58:34 +08:00

1.5 KiB
Raw Blame History

DOMAIN — Secrets handling

Project stores credentials / API keys / private keys / tunnel keys. Treat every leaked byte as irrecoverable.

Storage convention:

  • Path: <repo>/secrets/*.env — NEVER checked in.
  • .gitignore has secrets/ before any secret is written into the tree. Verify with git check-ignore secrets/foo.env (should print the path).
  • File permissions chmod 600 on every secret file.

Reference by path only in reports / logs / chats:

"Using keys from secrets/nodes.env" — GOOD. "Using key abc123xyz..." — FORBIDDEN.

Never echo secret values in:

  • Agent output / tool reports
  • Chat messages back to user
  • Stdout / stderr of running processes
  • Commit messages, PR descriptions
  • Error messages (log the CODE path, not the token)

Loading at runtime:

  • Rust: dotenvy or plain std::env::var after direnv allow.
  • Python: python-dotenv at startup, NEVER inline literals.
  • Node/Next: .env.local (.gitignore), platform vars in prod.
  • Shell: source secrets/foo.envexport inside, never commit the export line.

Rotation: when a secret is suspected leaked — rotate at provider → update secrets/*.env → restart services → verify old key rejected. Do not "wait and see".

Forbidden: committing .env / secrets/ (even once — git history persists); echoing values in reports; literal API keys in lib/ / src/ / Cargo.toml / package.json; git add -A in a repo that has secrets (use explicit file paths); copying secret values into chat to "show" user what's there.