ワンクリックで
secrets-management
Centralized secrets management pattern for Squad. Secrets never in git, always accessible at runtime.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Centralized secrets management pattern for Squad. Secrets never in git, always accessible at runtime.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
| name | secrets-management |
| description | Centralized secrets management pattern for Squad. Secrets never in git, always accessible at runtime. |
| triggers | ["secret","credential","api key","token","password","env var",".env","credential manager"] |
| confidence | high |
Rule Zero: No secret value is ever committed to git. Period.
| Priority | Source | Example | Notes |
|---|---|---|---|
| 1 | Windows Credential Manager | my-api-key | Most secure. Survives reboots. |
| 2 | Machine-local file | $env:USERPROFILE\.squad\webhook.url | For values that are file-based by convention. |
| 3 | Machine-local .env | $env:USERPROFILE\.squad\.env | Fallback for machines without Credential Manager. |
| 4 | Environment variable | $env:API_KEY | Already set in session (e.g., by CI). |
.env.example — document the variable name, description, and where to get it. No values.scripts/setup-secrets.ps1 — add an entry to the secrets array with:
EnvVar: environment variable nameCredTarget: Windows Credential Manager key (or $null)Description: human-readable nameRequired: $true or $false# Using cmdkey
cmdkey /add:my-new-secret /user:my-new-secret /pass:"actual-value"
# Using CredentialManager module (preferred)
New-StoredCredential -Target 'my-new-secret' -UserName 'my-new-secret' -Password 'actual-value' -Persist LocalMachine
Secrets do NOT sync between machines. Each Dev Box or workstation must set up its own secrets independently.
Setup steps for a new machine:
scripts/setup-secrets.ps1.squad/.envThe file .env.example in the repo root lists all required environment variables with descriptions but no values. It serves as documentation and a template.
The .gitignore must include patterns to prevent accidental secret commits:
*.env, .env.* — environment files*secret*, *credential* — anything named with sensitive terms*-config.json — config files that may contain tokens*.key, *.pem — cryptographic material!.env.example — the template is explicitly allowedWhen a secret is compromised or needs rotation:
.env.example has descriptions only, no values.gitignore blocks *.env, *secret*, *credential*, *.key, *.pemProtocol for sending queries, delegating tasks, and sharing context between independent Squad instances across different repositories
Create, run, and manage child squads for specific missions. Enables an HQ coordinator to fan out work to purpose-built teams.
Automatically create a comprehensive "Book of News" PDF from any conference — scrapes sessions, captures video screenshots, extracts transcripts (VTT) and slide content via OCR, generates AI digests with fact-checking, and produces an Ignite-style publication with images, announcements, code samples, and indexes.
Secure credential management for AI agents via official Bitwarden MCP server and bw CLI. Agents can store and retrieve secrets without exposing the entire vault. All access is audited.
Blog post quality patterns for technical writing — storytelling structure, code block rules, series conventions, and pre-publish checklists.
Prevent multiple Squad/Ralph instances from fighting over global gh auth state when running across repos with different GitHub accounts (personal vs EMU/enterprise).