type: policy
status: active
timestamp: 2026-06-20
tags: [policy, secrets, security, envpact]

Secrets — envpact only, never in chat

Secrets from envpact. Pasted in chat = compromised: revoke, rotate

Secrets — envpact only, never in chat

The policy

Every credential the family uses is fetched from envpact at deploy time or build time; secrets never appear in source code, in chat transcripts, or in commit messages, and any leak triggers immediate revoke + rotate.

Scope

Rules

Exceptions

Annual review

Not on the annual cycle — secret rotation is event-driven (on leak, on credential expiry, on team change). The auth-setup runbook carries the rotation procedure.

Cross-refs


Edit on GitHub · Back to index