🔐 WayCup Secret Registry

This document acts as a Map for AI agents and human teammates. It describes where secrets live without actually storing the sensitive data.

🛡️ Security Protocol

  1. NO SECRETS IN PLAIN TEXT. Never paste a password, API key, or token into this Vault.
  2. 1PASSWORD IS THE SOURCE OF TRUTH. All secrets must be stored in the WayCup shared vault in 1Password.
  3. ACCESS VIA CLI. AI agents must use the op read command to fetch values, and MUST ask for user permission before execution.

🗺️ Secret Mapping

ServiceSecret Name1Password URIPurpose
Google CloudGEMINI_API_KEYop://WayCup Security/Gemini API/credentialGlobal fallback credential.
Google CloudGEMINI_API_KEY_KEVINop://WayCup Security/Gemini API Sandbox - Kevin/credentialKevin’s sandbox API Key (waycup-kevin-sandbox).
Google CloudGEMINI_API_KEY_BRENNop://WayCup Security/Gemini API Sandbox - Brenn/credentialBrenn’s sandbox API Key (waycup-brenn-sandbox).
GitHubGH_TOKENop://WayCup Security/GitHub/tokenCLI authentication for snip and gh.
TailscaleTAILSCALE_AUTH_KEYop://WayCup Security/Tailscale/auth_keyNode authentication for Engine recovery.
Dog WizardDOG_WIZARD_DB_URLop://Clients/Dog Wizard/db_urlProduction database connection string.

🤖 AI Instructions (How to read this)

If you need to access a secret listed above, do not guess. Follow these steps:

  1. Identify the 1Password URI for the required secret.
  2. Construct the command: op read "<URI>"
  3. Ask the user: “I need to access the [Secret Name] to proceed. May I run the 1Password CLI to fetch it?”
  4. Once permitted, execute the command and use the value only in memory. Never log it.