Do not share
- Environment files containing production values.
- API keys, tokens, database passwords, and private keys.
- Raw customer data, export files, invoices, or backups.
- Auth headers, session cookies, and one-time codes.
How the agent can verify safely
The agent can often check that a value exists or that two configurations match without printing the value. Ask it to report "exists", "missing", or "matches", not the secret itself.
Publishing rule: public articles should never include real secrets, internal secret names, or historical examples that reveal how an environment is configured.
Good habits
- Use placeholders in prompts and documentation.
- Keep production configuration on the server or in a safe secret manager.
- Add environment files and backup artifacts to ignore rules.
- Rotate secrets if they were shared by accident.
Safe prompts for secret handling
- "Check whether the required environment variables exist, but do not print their values."
- "Tell me which secrets are missing using only variable names, not values."
- "Verify that local secret files are ignored by Git."
- "Before committing, scan the diff for accidentally included credentials or customer data."
- "If you need a secret, tell me where I should enter it securely instead of pasting it into chat."