playbooks

home / skills / autumnsgrove / groveengine / secrets-management

secrets-management skill

/.claude/skills/secrets-management

This skill helps manage API keys and secrets securely by guiding templates, env fallbacks, and proper gitignore patterns.

npx playbooks add skill autumnsgrove/groveengine --skill secrets-management

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.0 KB
---
name: secrets-management
description: Manages API keys, credentials, and sensitive configuration using secrets.json patterns with environment variable fallbacks. Use when working with API keys, credentials, .env files, or any sensitive configuration.
---

# Secrets Management Skill

## When to Activate

Activate this skill when:
- Setting up API keys or credentials
- Creating secrets.json files
- Implementing secrets loading patterns
- Working with .env files
- Integrating external APIs requiring authentication
- Ensuring credentials are not committed to git

## Core Principles

### Security Fundamentals
- **NEVER** hardcode API keys in source code
- **ALWAYS** add secrets.json to .gitignore immediately
- **ALWAYS** provide a secrets_template.json for setup reference
- Use environment variable fallbacks for CI/CD compatibility

### Standard File Structure

```
project/
├── secrets.json          # Actual secrets (NEVER commit)
├── secrets_template.json # Template with placeholder values (commit this)
├── .gitignore           # Must include secrets.json
└── .env                 # Alternative for env vars (also gitignored)
```

## Implementation Pattern

### secrets.json Format

```json
{
  "anthropic_api_key": "sk-ant-api03-...",
  "openrouter_api_key": "sk-or-v1-...",
  "openai_api_key": "sk-...",
  "database_url": "postgresql://user:pass@localhost/db",
  "comment": "Add your API keys here. Keep this file private."
}
```

### Python Loading Pattern

```python
import os
import json
from pathlib import Path

def load_secrets():
    """Load secrets from secrets.json with env var fallback."""
    secrets_path = Path(__file__).parent / "secrets.json"
    try:
        with open(secrets_path, 'r') as f:
            return json.load(f)
    except (FileNotFoundError, json.JSONDecodeError):
        return {}

SECRETS = load_secrets()

# Use with environment variable fallback
API_KEY = SECRETS.get("anthropic_api_key", os.getenv("ANTHROPIC_API_KEY", ""))
```

## Setup Checklist

1. Create secrets_template.json with placeholder values
2. Copy to secrets.json and add real credentials
3. Add secrets.json to .gitignore
4. Implement secrets loading in application
5. Verify git status shows secrets.json as untracked

## Security Best Practices

### DO ✅
- Store keys in secrets.json
- Add to .gitignore immediately
- Provide template files for setup
- Use environment variable fallbacks
- Rotate keys after team changes

### DON'T ❌
- Hardcode API keys
- Commit actual credentials
- Log full API keys
- Share keys via email/chat

## Key Format Reference

| Provider | Format |
|----------|--------|
| Anthropic | `sk-ant-api03-...` |
| OpenRouter | `sk-or-v1-...` |
| OpenAI | `sk-...` |
| AWS Access | `AKIA...` |

## Related Resources

See `AgentUsage/secrets_management.md` for complete documentation including:
- Advanced loading patterns with validation
- .env file integration
- Automated testing patterns
- Emergency key rotation procedures
- Production deployment strategies

Overview

This skill manages API keys, credentials, and other sensitive configuration using a secrets.json pattern with environment variable fallbacks. It is designed for multi-tenant TypeScript projects and prevents committing secrets while providing a clear onboarding template. The goal is to centralize secret loading, support CI/CD, and reduce accidental exposure of credentials.

How this skill works

The skill expects a secrets.json file for local secrets plus a secrets_template.json committed as a reference. At runtime the loader reads secrets.json and falls back to environment variables when keys are absent or in CI. It enforces adding secrets.json to .gitignore and encourages rotating keys and avoiding logs that reveal secrets.

When to use it

  • When adding API keys or service credentials for external integrations
  • During local setup to keep secrets out of source control
  • When implementing CI/CD pipelines that use environment variables
  • When migrating .env-based workflows to a structured secrets file
  • Before deploying to production to ensure secret fallbacks are defined

Best practices

  • Never hardcode keys in source; use secrets.json or env vars
  • Commit only a secrets_template.json with placeholders
  • Add secrets.json and .env to .gitignore immediately
  • Implement environment variable fallbacks for CI and deploys
  • Rotate keys when team membership changes and avoid logging full keys

Example use cases

  • Local developer onboarding: copy secrets_template.json to secrets.json and fill values
  • CI setup: provide credentials via environment variables instead of committing secrets
  • Third-party API integrations: load provider keys from secrets.json with env fallback
  • Staging vs production: use secrets.json locally and secure env vars in production
  • Automated tests: stub secrets during test runs using environment variables

FAQ

What if secrets.json is missing in CI?

The loader will use environment variable fallbacks; ensure CI sets required env vars.

Should I commit secrets_template.json?

Yes. Commit the template with placeholders to document required keys without exposing real values.