Skip to content

Secrets & Privacy

Specification > Delivery & Safety

This chapter defines the default openness of a repository and the checks that protect it: a pre-publish secrets sweep, a strength bar for credentials, and a ban on committing personal or machine-specific paths. These rules are always in force.


You MUST treat every repository as public unless you are told otherwise. Because anything committed may become world-readable, you MUST NOT expose client identifiers, secrets, or other sensitive data, and you MUST apply extra care to anything that resembles configuration or a key.

Before any upload, you MUST verify that no sensitive material is staged:

CheckRequirement
Keys & tokensNo API keys, passwords, or tokens MAY appear in committed files.
Ignore rulesA real .env MUST be git-ignored and MUST NOT be tracked.
Sample fileAny committed .example.env MUST carry only dummy values, never real credentials.
Sensitive dataNo personal or confidential data MAY be included.

This check applies to fixtures and mock data as well; placeholder credentials MUST be obviously fake.

Even development credentials MUST be strong. A password MUST be at least 16 characters and MUST combine upper- and lower-case letters, digits, and symbols. Trivial or guessable passwords MUST NOT be used, in any environment.

RuleRequirement
Relative pathsCommitted files MUST use relative paths only.
UsernamesYou MUST NOT commit usernames or other personal identifiers.
System pathsYou MUST NOT commit machine-specific or absolute system paths; convert them to relative form before upload.