29 lines
1.3 KiB
Plaintext
29 lines
1.3 KiB
Plaintext
# Social Media Brand — secrets allowlist
|
|
# Copy to .env (gitignored) and fill in real values. Platform encrypts on import.
|
|
# See ../SECRETS_MATRIX.md for the rationale of this scope.
|
|
#
|
|
# Social Media Brand drafts content and schedules posts via PRs / draft queues.
|
|
# It does NOT publish directly to X or LinkedIn — Marketing Lead is the SOLE
|
|
# PUBLISHER (see SECRETS_MATRIX.md).
|
|
#
|
|
# Missing this file was the root cause of the 2026-04-24 P1 credential loss
|
|
# (issue #2026): workspace_secrets was empty on re-provision because
|
|
# org_import.go reads from <role>/.env, and without .env.example the operator
|
|
# had no reference for which keys to populate. Credentials were never persisted
|
|
# to the DB, so every container restart left the workspace keyless.
|
|
#
|
|
# Resolution: add this file so the operator knows exactly what to populate.
|
|
|
|
# --- LLM ---
|
|
CLAUDE_CODE_OAUTH_TOKEN=sk-ant-oat01-...
|
|
|
|
# --- GitHub (PR-author scope only — see SECRETS_MATRIX.md) ---
|
|
# Generate a fine-grained PAT with scope limited to:
|
|
# - Pull requests: Read + Write (for create/comment, NOT merge)
|
|
# - Issues: Read + Write (for create/comment)
|
|
# - Contents: Read (for git clone)
|
|
# DO NOT grant Workflows, Administration, or Merge scopes.
|
|
# This token lets Social Media Brand draft content via PRs to the
|
|
# marketing/docs/landingpage repos only.
|
|
GH_TOKEN=
|