π WayCup Secret Registry
This document acts as a Map for AI agents and human teammates. It describes where secrets live without actually storing the sensitive data.
π‘οΈ Security Protocol
- NO SECRETS IN PLAIN TEXT. Never paste a password, API key, or token into this Vault.
- 1PASSWORD IS THE SOURCE OF TRUTH. All secrets must be stored in the WayCup shared vault in 1Password.
- ACCESS VIA CLI. AI agents must use the
op readcommand to fetch values, and MUST ask for user permission before execution.
πΊοΈ Secret Mapping
| Service | Secret Name | 1Password URI | Purpose |
|---|---|---|---|
| Google Cloud | GEMINI_API_KEY | op://Private/Gemini API/credential | Brain authentication for AI agents. |
| GitHub | GH_TOKEN | op://Private/GitHub/token | CLI authentication for snip and gh. |
| Tailscale | TAILSCALE_AUTH_KEY | op://Private/Tailscale/auth_key | Node authentication for Engine recovery. |
| Dog Wizard | DOG_WIZARD_DB_URL | op://Clients/Dog Wizard/db_url | Production database connection string. |
π€ AI Instructions (How to read this)
If you need to access a secret listed above, do not guess. Follow these steps:
- Identify the 1Password URI for the required secret.
- Construct the command:
op read "<URI>" - Ask the user: βI need to access the [Secret Name] to proceed. May I run the 1Password CLI to fetch it?β
- Once permitted, execute the command and use the value only in memory. Never log it.