원클릭으로
secrets-management
Centralized secrets management pattern for Squad. Secrets never in git, always accessible at runtime.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Centralized secrets management pattern for Squad. Secrets never in git, always accessible at runtime.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Protocol for sending queries, delegating tasks, and sharing context between independent Squad instances across different repositories
Create, run, and manage child squads for specific missions. Enables an HQ coordinator to fan out work to purpose-built teams.
Automatically create a comprehensive "Book of News" PDF from any conference — scrapes sessions, captures video screenshots, extracts transcripts (VTT) and slide content via OCR, generates AI digests with fact-checking, and produces an Ignite-style publication with images, announcements, code samples, and indexes.
Secure credential management for AI agents via official Bitwarden MCP server and bw CLI. Agents can store and retrieve secrets without exposing the entire vault. All access is audited.
Blog post quality patterns for technical writing — storytelling structure, code block rules, series conventions, and pre-publish checklists.
Prevent multiple Squad/Ralph instances from fighting over global gh auth state when running across repos with different GitHub accounts (personal vs EMU/enterprise).
| name | secrets-management |
| description | Centralized secrets management pattern for Squad. Secrets never in git, always accessible at runtime. |
| triggers | ["secret","credential","api key","token","password","env var",".env","credential manager"] |
| confidence | high |
Rule Zero: No secret value is ever committed to git. Period.
| Priority | Source | Example | Notes |
|---|---|---|---|
| 1 | Windows Credential Manager | my-api-key | Most secure. Survives reboots. |
| 2 | Machine-local file | $env:USERPROFILE\.squad\webhook.url | For values that are file-based by convention. |
| 3 | Machine-local .env | $env:USERPROFILE\.squad\.env | Fallback for machines without Credential Manager. |
| 4 | Environment variable | $env:API_KEY | Already set in session (e.g., by CI). |
.env.example — document the variable name, description, and where to get it. No values.scripts/setup-secrets.ps1 — add an entry to the secrets array with:
EnvVar: environment variable nameCredTarget: Windows Credential Manager key (or $null)Description: human-readable nameRequired: $true or $false# Using cmdkey
cmdkey /add:my-new-secret /user:my-new-secret /pass:"actual-value"
# Using CredentialManager module (preferred)
New-StoredCredential -Target 'my-new-secret' -UserName 'my-new-secret' -Password 'actual-value' -Persist LocalMachine
Secrets do NOT sync between machines. Each Dev Box or workstation must set up its own secrets independently.
Setup steps for a new machine:
scripts/setup-secrets.ps1.squad/.envThe file .env.example in the repo root lists all required environment variables with descriptions but no values. It serves as documentation and a template.
The .gitignore must include patterns to prevent accidental secret commits:
*.env, .env.* — environment files*secret*, *credential* — anything named with sensitive terms*-config.json — config files that may contain tokens*.key, *.pem — cryptographic material!.env.example — the template is explicitly allowedWhen a secret is compromised or needs rotation:
.env.example has descriptions only, no values.gitignore blocks *.env, *secret*, *credential*, *.key, *.pem