[chore] Document 1Password CLI secret management in AGENTS.md (HAR-252)#231
[chore] Document 1Password CLI secret management in AGENTS.md (HAR-252)#231harryden wants to merge 1 commit into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Review limit reached
More reviews will be available in 31 minutes and 51 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates agent-facing documentation for secret handling by adding 1Password CLI guidance to the existing secrets policy in AGENTS.md.
Changes:
- Adds a secrets policy bullet describing 1Password CLI usage.
- Documents
op://as the intended secret reference format.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - Never add real credentials to code, tests, logs, commits, or PR descriptions | ||
| - OAuth client secrets must remain server-side only | ||
| - Use mocked OAuth responses in tests unless explicitly instructed otherwise | ||
| - Secrets are managed via 1Password CLI. Real values are never stored in plaintext files. If you need to reference a secret, use the `op://` reference format from `.env.example`. |
There was a problem hiding this comment.
.env.example intentionally uses human-readable placeholder values (e.g. your-supabase-access-token) and is not the right place to demonstrate op:// reference format — that would mix the template's purpose (showing variable names) with runtime concerns. The bullet has been corrected to point at .env.local instead (where op run actually resolves secrets at runtime via scripts/dev-local.sh), so .env.example stays a clean human-readable template. See updated commit 3032239 on this branch.
harryden
force-pushed
the
chore/agents-secrets-1password
branch
from
945b136 to
3032239
Compare
Summary
Document that secrets are managed via the 1Password CLI and that the canonical reference format is
op://(as already used in.env.example). Linear: HAR-252.The existing
## Secrets policysection inAGENTS.mdalready covered the five baseline rules (no reading.env*, no real creds in code/PRs, OAuth server-side, mocked OAuth in tests,.env.examplefor variable names only). The only gap was the 1Password workflow, which agents previously had to infer from.env.example.Changes
AGENTS.md: append one bullet to the existing## Secrets policysection pointing agents to 1Password CLI and theop://reference format. No other lines touched, no section duplication.Tests
Docs-only change, but ran the full pre-PR suite locally on
chore/agents-secrets-1password:npm run lint— passnpm run typecheck— passnpm run test:run— 25 files, 160 tests, all passnpm run build— built in 5.25sNotes
(except .env.example)parenthetical), so an append is the minimal correct change.