Skip to content

Secrets-by-reference resolution and .env.example #5

Description

@Ryan-Atkinson87

Spec: §10 (credentials), §16.3 (secrets), §16.1; CLAUDE.md "Secrets by reference, never by value".

Resolve secrets from the environment by the names declared in project.yaml, never from committed values. Establish the committed .env.example that lists names only.

Acceptance criteria

  • A resolver that, given the secrets map from project.yaml (project.yaml Pydantic schema and fail-fast loader #4), reads actual values from os.environ at runtime.
  • Missing required env var → explicit, clear error (no silent default).
  • Committed .env.example lists every expected env-var name with no real values: GITHUB_PAT, ANTHROPIC_API_KEY, NOTION_TOKEN, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, AUTH_PASSWORD_HASH, and optional RESEND_API_KEY.
  • .env is gitignored; .env.example is committed.
  • Secret values are never logged.
  • Tests cover successful resolution and the missing-var error path.

Dependencies

Depends on: #1

(Ordering: ideally lands alongside #4 so the resolver can consume the validated secrets map.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions