← knowledge.oriz.in

Doppler is the source of truth for secrets; GitHub / Cloudflare / Firebase are runtime mirrors

decision decisionssecuritysecretsdopplergithubcloudflarefirebase

Doppler is the source of truth for secrets; GitHub / Cloudflare / Firebase are runtime mirrors

Decision

Doppler is the single source of truth for every secret used across the chirag127/oriz family. Every other place a secret can live — GitHub Secrets, Cloudflare Worker vars + secrets, Firebase functions config, and local .env files via doppler run — is a downstream mirror populated by Doppler's sync integrations. Humans only ever write secrets at Doppler.

The user's home-grown envpact vault stays around for personal / non-family secrets but is no longer the family-stack source of truth.

Why

User asked the agent to choose between GitHub Secrets, Doppler, and Infisical (1Password's automation product was a fourth candidate). The agent picked Doppler for these concrete reasons:

Implications

Architecture

        Doppler (source of truth)
           +-- ? GitHub Secrets   (org / repo / env scope)
           +-- ? Cloudflare       (Worker vars + secrets)
           +-- ? Firebase config  (functions:config + Auth provider creds)
           +-- ? Local dev        (via `doppler run -- pnpm dev`)

Project layout in Doppler

Doppler project Environments What lives there
oriz-firebase dev, prod Microsoft OAuth client ID/secret, reCAPTCHA Enterprise key, Firebase service account JSON, Auth provider creds
oriz-worker dev, prod HOOKDECK_SIGNING_SECRET, Razorpay key + secret, Resend API key, Sentry DSN
oriz-omnipost prod Per-adapter platform tokens (OMNIPOST_DEVTO_TOKEN, OMNIPOST_HASHNODE_TOKEN, …), GH bot PAT for repo writeback
oriz-monitoring prod Sentry DSN, Axiom token, Better Stack token, healthchecks.io ping URLs
oriz-cli dev local-only CLI auth tokens

Operational

What we don't do

Cross-refs