Setup Environment is a workflow for acquiring and storing API credentials. Security is not an afterthought — it's the core design principle.
If you discover a security issue in this workflow — for example, a scenario where credentials could be leaked, stored insecurely, or exposed through the pre-commit hook — please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, email: security@ecom-x.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Which workflow step is affected
- Potential impact
We will acknowledge your report within 48 hours and provide a fix timeline within 7 days.
This workflow is designed with a defense-in-depth approach:
| Layer | Protection |
|---|---|
| Storage | Apple Keychain (AES-256 encryption at rest, biometric unlock) |
| Derived files | .env.local is a cache, not the vault — regenerated from Keychain |
| Pre-commit | Secret scanning hook blocks commits containing key patterns |
| Classification | 4-tier system (Public → Private → Secret → Nuclear) with explicit warnings |
| AI safety | .env.local is never read by AI agents — only ENVIRONMENT.md (names, no values) |
| Gitignore | .env.local and CREDENTIALS.md are always gitignored |
This policy covers:
- The
WORKFLOW.mdprocess and its security guidance - The pre-commit hook patterns and secret scanning
- The
.env.examplefile (ensuring no real values are committed)
This policy does not cover:
- The security of individual third-party services (Shopify, Stripe, etc.)
- Apple Keychain security (managed by macOS)
- Your AI agent's security posture