Config hygiene: env-only tokens + lint to block secrets in manifests/systemd #11

New Issue

Open

opened 2025-12-15 00:37:18 +00:00 by 44r0n7 · 0 comments

44r0n7 commented 2025-12-15 00:37:18 +00:00

Owner

Copy Link

Proposal

• Ensure AUTH token is only read from env; never persist to state, manifest, or systemd unit files.
• Add a lightweight lint/check (pre-commit or CI) that fails if PIKIT_AUTH_TOKEN or similar patterns appear in tracked files (manifests, systemd units, code).
• Document how to inject tokens via systemd drop-in or runtime env without committing them.

Acceptance

• No tokens are written to state or logs.
• Lint fails when secrets are committed.
• Docs clarify the safe way to provide tokens.

Proposal - Ensure AUTH token is only read from env; never persist to state, manifest, or systemd unit files. - Add a lightweight lint/check (pre-commit or CI) that fails if PIKIT_AUTH_TOKEN or similar patterns appear in tracked files (manifests, systemd units, code). - Document how to inject tokens via systemd drop-in or runtime env without committing them. Acceptance - No tokens are written to state or logs. - Lint fails when secrets are committed. - Docs clarify the safe way to provide tokens.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

v0.1.3-dev6

v0.1.3-dev5

v0.1.3-dev4

v0.1.3-dev3

v0.1.3-dev2

v0.1.3-dev1

v0.1.2

v0.1.0-dev15

v0.1.0

v0.1.0-dev14

v0.1.0-dev13

v0.1.0-dev12

v0.1.0-dev11

v0.1.1

v0.1.0-dev10

v0.1.0-dev9

v0.1.0-dev8

v0.1.0-dev7

v0.1.0-dev6

v0.1.0-dev5

v0.1.0-dev4

v0.1.0-dev3

v0.1.0-dev2

v0.1.0-dev1

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

44r0n7

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: 44r0n7/pi-kit#11