Chapter 07 · 06

Manage Secrets Carefully

AI tools read your files, and sometimes share context with a remote service. That makes leaked secrets a real risk. Build good habits from day one:

Never put real keys in code. Use environment variables and a .env file.
Always gitignore your .env. a .env.example with empty placeholders so the AI knows what's needed without seeing the values.
Scope keys narrowly and rotate anything that may have been exposed.
Tell the AI in your context file to never hardcode or commit secrets.

A loud rule like Never read or print the contents of .env in your AGENTS.md is cheap insurance. So is a pre-commit hook or a secret-scanning tool that refuses a commit containing something that looks like a key — defense in depth matters here because the cost of a leak is asymmetric. A key pushed to a public repo is compromised the moment it lands, even if you delete it seconds later, because bots scrape commits in real time. When in doubt, assume an exposed key is burned and rotate it; rotating a key takes a minute, while cleaning up after a leaked one can take days.

Want it offline?

Get the PDF + EPUB + downloadable prompt library + version updates.

$ Get the PDF — $39 →