TrustSecurityBaseline
Secrets Policy
No secrets in the repository.
Rule
No secrets in the repository.
This includes:
- API keys.
- OAuth secrets.
- Database URLs.
- Payment provider secrets.
- Cloudflare tokens.
- Recovery codes.
- Personal identity documents.
- Private financial records.
Accepted Patterns
.env.examplewith placeholder values.- Provider-native secret managers.
- CI secret stores.
- Local
.env.localor.dev.varsfiles ignored by git.
AI Agent Rule
AI agents must not request, print, transform, summarize, or commit secrets. If a task appears to require a secret, stop and ask the human to use an approved secret-management path outside repo docs.