Secrets management services
Secrets management services
The family's secrets architecture is locked at
security/secrets-management-doppler.md.
| Service | Status | One-line role |
|---|---|---|
| doppler.md | active | Source of truth — every secret originates here, syncs out to runtime mirrors |
| github-secrets.md | active | Runtime mirror for GitHub Actions; written by Doppler's GH integration |
The earlier envpact entry stays documented as the user's home-grown vault — see the Doppler decision for why we picked Doppler for this batch.
Sync direction
Doppler (source of truth)
├── → GitHub Secrets (org / repo / environment)
├── → Cloudflare Workers (vars + secrets)
├── → Firebase config (functions:config + Auth provider creds)
└── → Local .env via `doppler run` (never commit a .env file)