Principles
- Never commit secrets to version control
- Centralize secrets in one secure location
- Use environment variables for runtime access
- Rotate regularly and audit access
Environment Variables
Structure
.env.example Template
Loading Environment Variables
Git Safety
Essential .gitignore
Pre-commit Hook
Prevent accidental commits of secrets:Cloud Secrets Management
Google Cloud Secret Manager
Environment-Specific Secrets
Agent-Specific Patterns
Centralized .env in HQ
Accessing Secrets in Agents
MCP Server Credentials
Audit & Rotation
Regular Rotation Schedule
Audit Checklist
- All .env files are git-ignored
- No secrets in commit history
- .env.example exists with placeholders
- Production secrets in secure manager
- Rotation schedule documented
- Access logs reviewed monthly
Emergency Response
If Secrets Are Leaked
- Immediately rotate the compromised credentials
- Revoke any active sessions
- Audit access logs for unauthorized use
- Clean git history if committed:
- Update all systems using the credential
- Document the incident
Best Practices
- Use
.env.examplefor documentation - Never log or print secrets
- Use secret managers in production
- Implement least-privilege access
- Automate rotation where possible
- Encrypt secrets at rest
Related
MCP Configuration
Configure external service connections
Hooks
Automate security checks