Repository source and the installed ZCode home have different security boundaries. Source templates contain placeholders only. The rendered ZCode home can contain live API keys, tokens, credentials, MCP headers, certificates, and session state and must be treated as sensitive runtime data.
build/.env.exampleis committed and declares supported keys with empty values and explanatory comments.build/.envis local and gitignored. Copy the example only when explicit API-key providers, integrations, or custom target settings are needed.- When present,
build/.envmust be a current-user-owned regular non-symlink file with no group or world permission bits (0600or stricter). The installer rejects the file before reading or copying it otherwise. - Existing process-environment values take precedence. Only
ZCODE_TARGETandZCODE_BACKUPS_DIRexpand an exact leading literal$HOME,$HOME/,${HOME}, or${HOME}/prefix. Every other value remains literal. - Marketplace JSON inputs reference secrets as
${VAR_NAME}. Every referenced key must be declared inbuild/.env.example; real values never belong in a source template. build/.envis key/value data, not a shell program. Do not execute it withsource,., oreval.
cp build/.env.example build/.env
chmod 600 build/.env
$EDITOR build/.envZ.ai account authentication and explicit provider API keys are separate:
modelProviderFamilyModes.zai: oauthinv2/setting.jsonis the verified ZCode 3.3.4 default for account login. It does not requireZAI_API_KEY.ZAI_API_KEYconfigures the explicit custom Z.ai provider athttps://api.z.ai/api/anthropicundercustom:zai-api-key. That provider is disabled by default; set itsenabledfield totrueonly after supplying the key.BIGMODEL_API_KEYconfigures the separate BigModel provider athttps://open.bigmodel.cn/api/anthropicundercustom:bigmodel-api-key; that provider is also disabled by default and must be enabled deliberately after supplying the key.
The secret-free builtin:zai-coding-plan entry in cli/config.json is only the
explicit provider/model bootstrap required by CLI 0.15.2. It does not contain
an API key and must not be repurposed as a custom provider. ZCode owns that
identity and supplies the restored OAuth credential at runtime.
Provider secrets are rendered into v2/config.json. MCP secrets referenced in
mcp.json are rendered before their entries are merged into cli/config.json.
Rendering is structured and JSON-escapes values; env text is never evaluated as
shell syntax. Placeholder-bearing object keys are never substituted and are
rejected instead. Missing and empty values remain visibly unresolved. Plan and
apply both parse, substitute, and merge config, setting, provider, MCP, and hook
inputs, then refuse unresolved placeholders in keys or values throughout every
active branch. Only explicitly disabled provider or MCP entries may remain
dormant.
The following installed or backup paths can contain secrets:
~/.zcode/.envor the equivalent custom target path;~/.zcode/v2/config.json;~/.zcode/cli/config.json;~/.zcode/v2/credentials.json;~/.zcode/v2/certs/and other restored account/session state;~/.zcode-backups/or the configured backup directory.
An adopted-unmanaged backup also contains NDDEV-BACKUP.json with the original
canonical target path. Treat that path as private environment metadata and
redact it from shared diagnostics together with the envelope payload.
v2/credentials.json is unequivocally a secret: it holds ZCode desktop account
authentication tokens. The installer restores it from protected backup state
rather than templating it, but that does not make it safe to disclose.
Target and backup directories must be private to the current user (0700).
Installed secret-bearing files, including .env, rendered configs, and
credentials, must be owner-readable and owner-writable only (0600). The local
source build/.env may be stricter but may never grant group/world access.
- Never print, trace, commit, upload, attach, or paste runtime secret files or their values into logs, issues, pull requests, screenshots, or diagnostics.
- Do not place backups inside a repository tree or a shared directory.
- Pass CLI-tool credentials through an approved process environment. Prefer a project-provided launcher, secrets manager, or non-evaluating parser with an explicit key allowlist; never shell-source an env file.
- Redact values before reporting configuration errors. It is safe to name a missing variable, but not to echo its value.
- Rotate any credential immediately if a runtime file or backup was exposed.
Public secret scanning checks tracked content for exposed credentials. The maintainers' private harness additionally enforces the module boundary and rejects tracked local env files. Automated guards supplement, but do not replace, the handling rules above.