Skip to main content

Principles

  1. Never commit secrets to version control
  2. Centralize secrets in one secure location
  3. Use environment variables for runtime access
  4. Rotate regularly and audit access

Environment Variables

Structure

.env.example Template

Loading Environment Variables

Git Safety

Essential .gitignore

Pre-commit Hook

Prevent accidental commits of secrets:

Cloud Secrets Management

Google Cloud Secret Manager

Environment-Specific Secrets

Agent-Specific Patterns

Centralized .env in HQ

Accessing Secrets in Agents

MCP Server Credentials

Audit & Rotation

Regular Rotation Schedule

Audit Checklist

  • All .env files are git-ignored
  • No secrets in commit history
  • .env.example exists with placeholders
  • Production secrets in secure manager
  • Rotation schedule documented
  • Access logs reviewed monthly

Emergency Response

If Secrets Are Leaked

  1. Immediately rotate the compromised credentials
  2. Revoke any active sessions
  3. Audit access logs for unauthorized use
  4. Clean git history if committed:
  1. Update all systems using the credential
  2. Document the incident
Force pushing rewrites history - coordinate with your team before running git filter-branch or git push --force.

Best Practices

  • Use .env.example for documentation
  • Never log or print secrets
  • Use secret managers in production
  • Implement least-privilege access
  • Automate rotation where possible
  • Encrypt secrets at rest

MCP Configuration

Configure external service connections

Hooks

Automate security checks