0be354a920
Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.
1.5 KiB
1.5 KiB
DOMAIN — Secrets handling
Project stores credentials / API keys / private keys / tunnel keys. Treat every leaked byte as irrecoverable.
Storage convention:
- Path:
<repo>/secrets/*.env— NEVER checked in. .gitignorehassecrets/before any secret is written into the tree. Verify withgit check-ignore secrets/foo.env(should print the path).- File permissions
chmod 600on every secret file.
Reference by path only in reports / logs / chats:
"Using keys from
secrets/nodes.env" — GOOD. "Using keyabc123xyz..." — FORBIDDEN.
Never echo secret values in:
- Agent output / tool reports
- Chat messages back to user
- Stdout / stderr of running processes
- Commit messages, PR descriptions
- Error messages (log the CODE path, not the token)
Loading at runtime:
- Rust:
dotenvyor plainstd::env::varafterdirenv allow. - Python:
python-dotenvat startup, NEVER inline literals. - Node/Next:
.env.local(.gitignore), platform vars in prod. - Shell:
source secrets/foo.env→exportinside, never commit the export line.
Rotation: when a secret is suspected leaked — rotate at provider → update secrets/*.env → restart services → verify old key rejected. Do not "wait and see".
Forbidden: committing .env / secrets/ (even once — git history persists); echoing values in reports; literal API keys in lib/ / src/ / Cargo.toml / package.json; git add -A in a repo that has secrets (use explicit file paths); copying secret values into chat to "show" user what's there.