Secrets & Configuration

Guardrails

Backend: GCP Secret Manager
Frontend: Vercel env vars (frontend‑only)
CI → Cloud: GitHub OIDC → GCP (no long‑lived keys)
Config validation: Zod at startup
Secret scanning: gitleaks (pre‑commit + CI)
Rotation: every 90 days; owners tracked

Zod config example:

import { z } from 'zod';
const Schema = z.object({ FIREBASE_PROJECT_ID: z.string(), SENTRY_DSN: z.string().url().optional() });
export const env = Schema.parse({ FIREBASE_PROJECT_ID: process.env.FIREBASE_PROJECT_ID, SENTRY_DSN: process.env.SENTRY_DSN });

OIDC setup snippet:

permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
          service_account: ${{ secrets.GCP_SA_EMAIL }}
      - uses: google-github-actions/setup-gcloud@v2
      - run: gcloud --quiet components install beta
      - run: pnpm i && pnpm build && firebase deploy --only functions

LLM Notes

Do not hard‑code secrets. Read via env and validate with Zod.

Guardrails​

LLM Notes​

Guardrails

LLM Notes