Secrets & Privacy
This chapter defines the default openness of a repository and the checks that protect it: a pre-publish secrets sweep, a strength bar for credentials, and a ban on committing personal or machine-specific paths. These rules are always in force.
Open Source by Default
Section titled “Open Source by Default”You MUST treat every repository as public unless you are told otherwise. Because anything committed may become world-readable, you MUST NOT expose client identifiers, secrets, or other sensitive data, and you MUST apply extra care to anything that resembles configuration or a key.
Pre-upload Secrets Check
Section titled “Pre-upload Secrets Check”Before any upload, you MUST verify that no sensitive material is staged:
| Check | Requirement |
|---|---|
| Keys & tokens | No API keys, passwords, or tokens MAY appear in committed files. |
| Ignore rules | A real .env MUST be git-ignored and MUST NOT be tracked. |
| Sample file | Any committed .example.env MUST carry only dummy values, never real credentials. |
| Sensitive data | No personal or confidential data MAY be included. |
This check applies to fixtures and mock data as well; placeholder credentials MUST be obviously fake.
Credential Strength
Section titled “Credential Strength”Even development credentials MUST be strong. A password MUST be at least 16 characters and MUST combine upper- and lower-case letters, digits, and symbols. Trivial or guessable passwords MUST NOT be used, in any environment.
Paths & Identity
Section titled “Paths & Identity”| Rule | Requirement |
|---|---|
| Relative paths | Committed files MUST use relative paths only. |
| Usernames | You MUST NOT commit usernames or other personal identifiers. |
| System paths | You MUST NOT commit machine-specific or absolute system paths; convert them to relative form before upload. |