This repository is PUBLIC on GitHub. Never commit API keys, tokens, or credentials.

1. ~/.secrets file

   • Location: ~/.secrets (outside dotfiles repo)
   • Permissions: 600 (owner read/write only)
   • Sourced by: ~/.bashrc and ~/.config/fish/config.fish
   • Format: Shell environment variable exports

2. Environment variable references

   • OpenCode config: {env:VARIABLE_NAME} syntax
   • Claude Code: Configured via claude mcp add with env vars
   • Example: {env:TAVILY_API_KEY} instead of hardcoded keys

3. Git protection

   • .gitignore: Blocks common secret patterns
   • Pre-commit hook: Scans for API keys before commit
   • Files ignored:
     • ~/.cursor/mcp.json (contains secrets)
     • ~/.config/opencode/.env
     • All *_KEY, *_TOKEN, *_SECRET patterns

# MCP Servers
export TAVILY_API_KEY="tvly-..."          # Web search
export REF_API_KEY="ref-..."              # Documentation search

# UniFi Network (if used)
export UNIFI_API_TYPE="..."
export UNIFI_API_KEY="..."
export UNIFI_LOCAL_HOST="..."
export UNIFI_LOCAL_VERIFY_SSL="..."

# Development
export GITHUB_TOKEN="ghp_..."             # gh CLI
export ANTHROPIC_API_KEY="sk-ant-api03-..." # Claude API

Location: .git/hooks/pre-commit

Automatically scans staged changes for:

• Tavily API keys (tvly-*)
• Ref API keys (ref-*)
• Anthropic keys (sk-ant-*)
• GitHub tokens (ghp_*, gho_*, github_pat_*)

Bypass (dangerous!): git commit --no-verify

Protected file types:

• *.secrets - Any secrets files
• .env* - Environment files (except .env.example)
• *apiKey* - Files with "apiKey" in name
• Cursor MCP config (contains embedded keys)

✅ SAFE - Use environment variable references:

{
  "mcp": {
    "tavily": {
      "url": "https://mcp.tavily.com/mcp/?tavilyApiKey={env:TAVILY_API_KEY}"
    }
  }
}

❌ UNSAFE - Never hardcode:

{
  "mcp": {
    "tavily": {
      "url": "https://mcp.tavily.com/mcp/?tavilyApiKey=tvly-actual-key-here"
    }
  }
}

Run these commands to check for leaked secrets:

# 1. Scan current changes
git diff | grep -iE "tvly-|ref-|sk-ant-|ghp_"

# 2. Scan entire repo history (SLOW - only if needed)
git log --all -S "tvly-" --source --pretty=format:"%H %s"

# 3. Check secrets file permissions
ls -la ~/.secrets  # Should be: -rw------- (600)

# 4. Verify shell sources secrets
grep -E "source.*secrets|\..*secrets" ~/.bashrc ~/.config/fish/config.fish

If you accidentally committed secrets:

1. Immediately rotate the compromised keys

   • Tavily: https://tavily.com → regenerate API key
   • Ref: https://ref.tools → regenerate API key
   • GitHub: Settings → Developer settings → revoke token

2. Remove from git history (nuclear option):

   # Use git-filter-repo (preferred)
   git filter-repo --path-glob '*.secrets' --invert-paths
   
   # Or BFG Repo-Cleaner
   bfg --delete-files '*.secrets'

3. Force push (WARNING: rewrites history)

   git push --force-with-lease

4. Update ~/.secrets with new keys

• No API keys in staged files (git diff --cached)
• Environment variables use {env:VAR} syntax
• ~/.secrets has 600 permissions
• Pre-commit hook is executable
• .gitignore includes secret patterns

• Secrets management: lib/secrets.sh
• Install script: install.sh (uses secrets_get/secrets_set)
• OpenCode config: omarchy-config/.config/opencode/opencode.jsonc
• Pre-commit hook: .git/hooks/pre-commit

Last updated: 2026-01-05 Status: ✅ Repository scanned - no secrets detected in git history