Protect shared config files, never expose secrets in chat, and label every external configuration with its target.
- NEVER overwrite shared config files — use targeted edits, with a backup first
- Always
cp file file.bakbefore editing any config file - Read handoff notes or documentation about a config file before modifying it
- NEVER accept API keys, tokens, or passwords in chat
- Use the platform's secret management (environment variables, keychain, vault)
- If you catch yourself asking "paste it here" — stop. Use the secure channel.
- Bake non-secret configuration into the project's config files
- External secret stores are for secrets ONLY
- Label every external config file with what system it belongs to
- Before deploying, verify the config matches the target system
- Rely on the user manually entering values into a production dashboard
- Deploy without verifying which system the config belongs to
- Modify shared config files without reading their documentation first
- Shared config file overwritten 4 times in one session, session terminated.
- API key exposed in chat.
- Wrong credentials deployed to the wrong system.