This repository contains public-safe configuration scaffolding only:
- Example config files with placeholder values
- Setup and verification scripts
- Documentation and catalogs
| Category | Examples | Handling |
|---|---|---|
| API keys & tokens | ANTHROPIC_AUTH_TOKEN, OPENAI_API_KEY, NVAPI_*, BRIGHTDATA_API_KEY |
Use $ENV_VAR placeholders |
| OAuth credentials | client_secret.json, oauth_creds.json, credentials.enc |
Listed in .gitignore, stored in private overlay |
| SSH keys | ~/.ssh/id_* |
Never referenced in this repo |
| Cookies & sessions | token_cache.json, history.jsonl |
Listed in .gitignore |
| Proprietary instructions | Custom system prompts with internal IP | Strip before committing |
| Personal identifiers | Email, employee IDs, internal hostnames | Replace with <YOUR_*> |
Before committing any config file:
- Run
setup/verify.ps1 --securityto scan for common secret patterns. - Replace all tokens matching these patterns with environment variable references:
sk-[a-zA-Z0-9]{32,} → $ANTHROPIC_AUTH_TOKEN
nvapi-[a-zA-Z0-9-_]{40,} → $NVIDIA_API_KEY
AIza[a-zA-Z0-9-_]{35} → $GOOGLE_API_KEY
[0-9a-f]{8}-[0-9a-f]{4}-... (UUID-style) → $SERVICE_API_TOKEN
- Use
.examplesuffix for any file that would otherwise contain secrets. - Document required environment variables in
templates/.env.example.
Your actual credentials live in a private overlay — a directory or secret manager not tracked by this repository:
~/.env.local # personal API keys (source in shell profile)
~/.config/*/secrets/ # per-tool credential directories
Never symlink or copy private overlay files into this repository.
If you discover a secret accidentally committed to this repository, please:
- Open a private security advisory on GitHub.
- Do not open a public issue.
- Include the commit SHA and affected file path.
- No tokens, keys, or passwords in diff
- No personal email addresses or internal hostnames
-
.env.exampleupdated if new env vars introduced -
.gitignoreupdated if new secret file patterns introduced -
verify.ps1/verify.shpasses cleanly