Secrets — envpact only, never in chat
Secrets — envpact only, never in chat
The policy
Every credential the family uses is fetched from envpact at deploy time or build time; secrets never appear in source code, in chat transcripts, or in commit messages, and any leak triggers immediate revoke + rotate.
Scope
- All API keys, tokens, webhook signing secrets, service-account JSON, SMTP credentials, Razorpay keys, reCAPTCHA secret keys.
- All sites, extensions, packages, and the
apps/apiWorker. - All GitHub Actions workflows (read via
chirag127/envpact-action@v0). - Local dev (read via
npx envpact-cli@latestpopulating.env).
Rules
- Pull from envpact at runtime / buildtime.
CI uses thenpx envpact-cli@latest # populates .env for the current projectenvpact-actionwith theENVPACT_VAULT_TOKENrepo secret. - Never hardcode. No literal tokens, keys, or secrets in any
.ts,.js,.astro,.json,.yml,.toml,.md, or.examplefile checked into git. - Server-only vs public.
FIREBASE_SERVICE_ACCOUNT_KEYis server-only — never expose it to a client bundle.PUBLIC_FIREBASE_*keys are safe in the client (they are not secrets, they are public config). - Never paste a secret into chat. Not into the AI agent, not into the assistant transcript, not into a GitHub issue, not into Discord. If the agent asks for a secret value, the user gives it the env-var name, not the value.
- On leak: revoke first, ask questions later. If a secret enters
chat or any other untrusted surface:
- Revoke at the relevant dashboard immediately.
- Reissue a new credential.
- Re-store under the same name in envpact.
- Trigger a redeploy of every consumer.
- Audit recent logs for unauthorised use of the leaked credential.
- No card-on-file constraint. Per the no-card-on-file rule, credentials granting billing-attached access (e.g. a Cloudflare API token tied to a paid account) are out-of-scope by construction — the family has no such accounts.
Exceptions
PUBLIC_*env vars. Public Firebase config keys, public reCAPTCHA site keys, public AdSense pub IDs are not secrets and may be hardcoded into client bundles. They follow thePUBLIC_prefix convention so the distinction is visible at the call site..env.examplefiles. May contain placeholder values (FIREBASE_SERVICE_ACCOUNT_KEY=replace-me) but never real ones.
Annual review
Not on the annual cycle — secret rotation is event-driven (on leak,
on credential expiry, on team change). The
auth-setup runbook carries the rotation
procedure.
Cross-refs
../runbooks/security/auth-setup.md— rotation runbook with every dashboard URL../rules/no-card-on-file.md— the upstream rule that limits the secret blast radius./ingester-contract.md— property (6) extends this rule into ingester code