.envis ignored and must never be committed..env.examplecontains placeholders only.- API keys or secrets pasted in chat, screenshots or logs must be treated as compromised and rotated.
- The validator scans for common leaked secret formats.
Agents must:
- use environment variables for secrets;
- hash passwords when auth is requested;
- implement role checks for protected routes;
- avoid hardcoded local absolute paths;
- expose health checks without leaking secrets;
- keep database credentials in Docker/env only;
- include seed credentials only for demo and document them clearly.
- The bridge requires
x-tool-bridge-token. - File writes are restricted to
SANDBOX_ROOT. - Path traversal is rejected.
- Logs redact common secret fields and known secret values from environment variables.
Before public publish:
- run
node scripts/validate_repo.js; - inspect
.envis not staged; - rotate any exposed credentials or keys;
- confirm generated software does not contain real customer data;
- publish only after release readiness approval.