refactor(settings): adopt environment-only runtime secret flow
This commit is contained in:
+2
-1
@@ -46,7 +46,8 @@ See `.github/PULL_REQUEST_TEMPLATE.md` for the security checklist that must be c
|
||||
|
||||
- No secrets in source code
|
||||
- Environment variables for all credentials (`DATABASE_URL`, API keys)
|
||||
- `SystemSettings` table for runtime-configurable secrets (AI keys, SMTP credentials)
|
||||
- Runtime application secrets are provisioned outside the application data plane through environment variables or a deployment-time secret manager
|
||||
- `SystemSettings` may still contain legacy secret residue during migration, but new secret values must not be written there
|
||||
- `.env` files excluded from version control via `.gitignore`
|
||||
|
||||
## Incident Response
|
||||
|
||||
Reference in New Issue
Block a user