Skip to main content

Secret Hygiene

In one line: Secrets — keys, tokens, credentials, internal IPs — never enter agent context, commits, logs, or memory.

Do this: Reference secrets indirectly (read from .env, a secrets manager, or shell-resolved at use time); never paste a live credential into a prompt, a committed file, a doc that gets synced, or a memory entry. If a secret does leak into context, rotate it — context is not erasable.

Mechanism: scripts/check-doc-classification.sh (the shipped gate that flags IP addresses, key-shaped strings, and credential patterns in docs before they sync to a public site), .gitignore (keeps .env and secret files out of commits), and the memory "what NOT to save" rule (skill:s4u-memory-discipline): credentials and infra specifics are on the never-persist list.