npm - @hivehub/rulebook - Versions diffs - 1.2.0 - Mend

@hivehub/rulebook 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (379) hide show

package/LICENSE +191 -0
package/README.md +539 -0
package/dist/agents/claude-code.d.ts +69 -0
package/dist/agents/claude-code.d.ts.map +1 -0
package/dist/agents/claude-code.js +180 -0
package/dist/agents/claude-code.js.map +1 -0
package/dist/agents/cursor-agent.d.ts +184 -0
package/dist/agents/cursor-agent.d.ts.map +1 -0
package/dist/agents/cursor-agent.js +299 -0
package/dist/agents/cursor-agent.js.map +1 -0
package/dist/agents/gemini-cli.d.ts +69 -0
package/dist/agents/gemini-cli.d.ts.map +1 -0
package/dist/agents/gemini-cli.js +180 -0
package/dist/agents/gemini-cli.js.map +1 -0
package/dist/cli/commands.d.ts +57 -0
package/dist/cli/commands.d.ts.map +1 -0
package/dist/cli/commands.js +1370 -0
package/dist/cli/commands.js.map +1 -0
package/dist/cli/docs-prompts.d.ts +3 -0
package/dist/cli/docs-prompts.d.ts.map +1 -0
package/dist/cli/docs-prompts.js +45 -0
package/dist/cli/docs-prompts.js.map +1 -0
package/dist/cli/prompts.d.ts +6 -0
package/dist/cli/prompts.d.ts.map +1 -0
package/dist/cli/prompts.js +376 -0
package/dist/cli/prompts.js.map +1 -0
package/dist/core/agent-manager.d.ts +89 -0
package/dist/core/agent-manager.d.ts.map +1 -0
package/dist/core/agent-manager.js +546 -0
package/dist/core/agent-manager.js.map +1 -0
package/dist/core/auto-fixer.d.ts +14 -0
package/dist/core/auto-fixer.d.ts.map +1 -0
package/dist/core/auto-fixer.js +207 -0
package/dist/core/auto-fixer.js.map +1 -0
package/dist/core/changelog-generator.d.ts +44 -0
package/dist/core/changelog-generator.d.ts.map +1 -0
package/dist/core/changelog-generator.js +222 -0
package/dist/core/changelog-generator.js.map +1 -0
package/dist/core/cli-bridge.d.ts +113 -0
package/dist/core/cli-bridge.d.ts.map +1 -0
package/dist/core/cli-bridge.js +1094 -0
package/dist/core/cli-bridge.js.map +1 -0
package/dist/core/config-manager.d.ts +65 -0
package/dist/core/config-manager.d.ts.map +1 -0
package/dist/core/config-manager.js +266 -0
package/dist/core/config-manager.js.map +1 -0
package/dist/core/coverage-checker.d.ts +14 -0
package/dist/core/coverage-checker.d.ts.map +1 -0
package/dist/core/coverage-checker.js +176 -0
package/dist/core/coverage-checker.js.map +1 -0
package/dist/core/custom-templates.d.ts +27 -0
package/dist/core/custom-templates.d.ts.map +1 -0
package/dist/core/custom-templates.js +122 -0
package/dist/core/custom-templates.js.map +1 -0
package/dist/core/dependency-checker.d.ts +21 -0
package/dist/core/dependency-checker.d.ts.map +1 -0
package/dist/core/dependency-checker.js +247 -0
package/dist/core/dependency-checker.js.map +1 -0
package/dist/core/detector.d.ts +3 -0
package/dist/core/detector.d.ts.map +1 -0
package/dist/core/detector.js +1443 -0
package/dist/core/detector.js.map +1 -0
package/dist/core/docs-generator.d.ts +9 -0
package/dist/core/docs-generator.d.ts.map +1 -0
package/dist/core/docs-generator.js +531 -0
package/dist/core/docs-generator.js.map +1 -0
package/dist/core/generator.d.ts +16 -0
package/dist/core/generator.d.ts.map +1 -0
package/dist/core/generator.js +561 -0
package/dist/core/generator.js.map +1 -0
package/dist/core/gitignore-generator.d.ts +13 -0
package/dist/core/gitignore-generator.d.ts.map +1 -0
package/dist/core/gitignore-generator.js +307 -0
package/dist/core/gitignore-generator.js.map +1 -0
package/dist/core/health-scorer.d.ts +22 -0
package/dist/core/health-scorer.d.ts.map +1 -0
package/dist/core/health-scorer.js +395 -0
package/dist/core/health-scorer.js.map +1 -0
package/dist/core/logger.d.ts +116 -0
package/dist/core/logger.d.ts.map +1 -0
package/dist/core/logger.js +289 -0
package/dist/core/logger.js.map +1 -0
package/dist/core/merger.d.ts +6 -0
package/dist/core/merger.d.ts.map +1 -0
package/dist/core/merger.js +131 -0
package/dist/core/merger.js.map +1 -0
package/dist/core/migrator.d.ts +19 -0
package/dist/core/migrator.d.ts.map +1 -0
package/dist/core/migrator.js +102 -0
package/dist/core/migrator.js.map +1 -0
package/dist/core/minimal-scaffolder.d.ts +8 -0
package/dist/core/minimal-scaffolder.d.ts.map +1 -0
package/dist/core/minimal-scaffolder.js +51 -0
package/dist/core/minimal-scaffolder.js.map +1 -0
package/dist/core/modern-console-new.d.ts +81 -0
package/dist/core/modern-console-new.d.ts.map +1 -0
package/dist/core/modern-console-new.js +340 -0
package/dist/core/modern-console-new.js.map +1 -0
package/dist/core/modern-console.d.ts +99 -0
package/dist/core/modern-console.d.ts.map +1 -0
package/dist/core/modern-console.js +568 -0
package/dist/core/modern-console.js.map +1 -0
package/dist/core/openspec-manager.d.ts +133 -0
package/dist/core/openspec-manager.d.ts.map +1 -0
package/dist/core/openspec-manager.js +605 -0
package/dist/core/openspec-manager.js.map +1 -0
package/dist/core/openspec-migrator.d.ts +27 -0
package/dist/core/openspec-migrator.d.ts.map +1 -0
package/dist/core/openspec-migrator.js +255 -0
package/dist/core/openspec-migrator.js.map +1 -0
package/dist/core/task-manager.d.ts +65 -0
package/dist/core/task-manager.d.ts.map +1 -0
package/dist/core/task-manager.js +318 -0
package/dist/core/task-manager.js.map +1 -0
package/dist/core/test-task-manager.d.ts +49 -0
package/dist/core/test-task-manager.d.ts.map +1 -0
package/dist/core/test-task-manager.js +121 -0
package/dist/core/test-task-manager.js.map +1 -0
package/dist/core/validator.d.ts +21 -0
package/dist/core/validator.d.ts.map +1 -0
package/dist/core/validator.js +177 -0
package/dist/core/validator.js.map +1 -0
package/dist/core/version-bumper.d.ts +19 -0
package/dist/core/version-bumper.d.ts.map +1 -0
package/dist/core/version-bumper.js +180 -0
package/dist/core/version-bumper.js.map +1 -0
package/dist/core/watcher.d.ts +9 -0
package/dist/core/watcher.d.ts.map +1 -0
package/dist/core/watcher.js +22 -0
package/dist/core/watcher.js.map +1 -0
package/dist/core/workflow-generator.d.ts +10 -0
package/dist/core/workflow-generator.d.ts.map +1 -0
package/dist/core/workflow-generator.js +279 -0
package/dist/core/workflow-generator.js.map +1 -0
package/dist/index.d.ts +3 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +159 -0
package/dist/index.js.map +1 -0
package/dist/mcp/handlers/archive-task.d.ts +17 -0
package/dist/mcp/handlers/archive-task.d.ts.map +1 -0
package/dist/mcp/handlers/archive-task.js +36 -0
package/dist/mcp/handlers/archive-task.js.map +1 -0
package/dist/mcp/handlers/create-task.d.ts +17 -0
package/dist/mcp/handlers/create-task.d.ts.map +1 -0
package/dist/mcp/handlers/create-task.js +56 -0
package/dist/mcp/handlers/create-task.js.map +1 -0
package/dist/mcp/handlers/list-tasks.d.ts +22 -0
package/dist/mcp/handlers/list-tasks.d.ts.map +1 -0
package/dist/mcp/handlers/list-tasks.js +42 -0
package/dist/mcp/handlers/list-tasks.js.map +1 -0
package/dist/mcp/handlers/show-task.d.ts +25 -0
package/dist/mcp/handlers/show-task.d.ts.map +1 -0
package/dist/mcp/handlers/show-task.js +43 -0
package/dist/mcp/handlers/show-task.js.map +1 -0
package/dist/mcp/handlers/update-task.d.ts +17 -0
package/dist/mcp/handlers/update-task.d.ts.map +1 -0
package/dist/mcp/handlers/update-task.js +35 -0
package/dist/mcp/handlers/update-task.js.map +1 -0
package/dist/mcp/handlers/validate-task.d.ts +15 -0
package/dist/mcp/handlers/validate-task.d.ts.map +1 -0
package/dist/mcp/handlers/validate-task.js +27 -0
package/dist/mcp/handlers/validate-task.js.map +1 -0
package/dist/mcp/rulebook-config.d.ts +22 -0
package/dist/mcp/rulebook-config.d.ts.map +1 -0
package/dist/mcp/rulebook-config.js +65 -0
package/dist/mcp/rulebook-config.js.map +1 -0
package/dist/mcp/rulebook-server.d.ts +4 -0
package/dist/mcp/rulebook-server.d.ts.map +1 -0
package/dist/mcp/rulebook-server.js +246 -0
package/dist/mcp/rulebook-server.js.map +1 -0
package/dist/types.d.ts +190 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +2 -0
package/dist/types.js.map +1 -0
package/dist/utils/file-system.d.ts +9 -0
package/dist/utils/file-system.d.ts.map +1 -0
package/dist/utils/file-system.js +51 -0
package/dist/utils/file-system.js.map +1 -0
package/dist/utils/git-hooks.d.ts +8 -0
package/dist/utils/git-hooks.d.ts.map +1 -0
package/dist/utils/git-hooks.js +440 -0
package/dist/utils/git-hooks.js.map +1 -0
package/dist/utils/rulesignore.d.ts +9 -0
package/dist/utils/rulesignore.d.ts.map +1 -0
package/dist/utils/rulesignore.js +42 -0
package/dist/utils/rulesignore.js.map +1 -0
package/package.json +106 -0
package/templates/cli/AIDER.md +49 -0
package/templates/cli/AMAZON_Q.md +25 -0
package/templates/cli/AUGGIE.md +32 -0
package/templates/cli/CLAUDE.md +32 -0
package/templates/cli/CLAUDE_CODE.md +35 -0
package/templates/cli/CLINE.md +32 -0
package/templates/cli/CODEBUDDY.md +20 -0
package/templates/cli/CODEIUM.md +20 -0
package/templates/cli/CODEX.md +21 -0
package/templates/cli/CONTINUE.md +34 -0
package/templates/cli/CURSOR_CLI.md +28 -0
package/templates/cli/FACTORY.md +18 -0
package/templates/cli/GEMINI.md +35 -0
package/templates/cli/KILOCODE.md +18 -0
package/templates/cli/OPENCODE.md +18 -0
package/templates/cli/_GENERIC_TEMPLATE.md +29 -0
package/templates/commands/rulebook-task-apply.md +67 -0
package/templates/commands/rulebook-task-archive.md +70 -0
package/templates/commands/rulebook-task-create.md +93 -0
package/templates/commands/rulebook-task-list.md +42 -0
package/templates/commands/rulebook-task-show.md +52 -0
package/templates/commands/rulebook-task-validate.md +53 -0
package/templates/core/AGENT_AUTOMATION.md +184 -0
package/templates/core/DAG.md +304 -0
package/templates/core/DOCUMENTATION_RULES.md +37 -0
package/templates/core/QUALITY_ENFORCEMENT.md +68 -0
package/templates/core/RULEBOOK.md +1874 -0
package/templates/frameworks/ANGULAR.md +36 -0
package/templates/frameworks/DJANGO.md +83 -0
package/templates/frameworks/ELECTRON.md +147 -0
package/templates/frameworks/FLASK.md +38 -0
package/templates/frameworks/FLUTTER.md +55 -0
package/templates/frameworks/JQUERY.md +32 -0
package/templates/frameworks/LARAVEL.md +38 -0
package/templates/frameworks/NESTJS.md +43 -0
package/templates/frameworks/NEXTJS.md +127 -0
package/templates/frameworks/NUXT.md +40 -0
package/templates/frameworks/RAILS.md +66 -0
package/templates/frameworks/REACT.md +38 -0
package/templates/frameworks/REACT_NATIVE.md +47 -0
package/templates/frameworks/SPRING.md +39 -0
package/templates/frameworks/SYMFONY.md +36 -0
package/templates/frameworks/VUE.md +36 -0
package/templates/frameworks/ZEND.md +35 -0
package/templates/git/CI_CD_PATTERNS.md +661 -0
package/templates/git/GITHUB_ACTIONS.md +728 -0
package/templates/git/GITLAB_CI.md +730 -0
package/templates/git/GIT_WORKFLOW.md +1157 -0
package/templates/git/SECRETS_MANAGEMENT.md +585 -0
package/templates/hooks/COMMIT_MSG.md +530 -0
package/templates/hooks/POST_CHECKOUT.md +546 -0
package/templates/hooks/PREPARE_COMMIT_MSG.md +619 -0
package/templates/hooks/PRE_COMMIT.md +414 -0
package/templates/hooks/PRE_PUSH.md +601 -0
package/templates/hooks/csharp-pre-commit.sh +23 -0
package/templates/hooks/csharp-pre-push.sh +23 -0
package/templates/hooks/dart-pre-commit.sh +30 -0
package/templates/hooks/dart-pre-push.sh +25 -0
package/templates/hooks/elixir-pre-commit.sh +32 -0
package/templates/hooks/elixir-pre-push.sh +31 -0
package/templates/hooks/erlang-pre-commit.sh +30 -0
package/templates/hooks/erlang-pre-push.sh +37 -0
package/templates/hooks/go-pre-commit.sh +40 -0
package/templates/hooks/go-pre-push.sh +31 -0
package/templates/hooks/haskell-pre-commit.sh +41 -0
package/templates/hooks/haskell-pre-push.sh +37 -0
package/templates/hooks/java-pre-commit.sh +34 -0
package/templates/hooks/java-pre-push.sh +24 -0
package/templates/hooks/kotlin-pre-commit.sh +32 -0
package/templates/hooks/kotlin-pre-push.sh +16 -0
package/templates/hooks/php-pre-commit.sh +36 -0
package/templates/hooks/php-pre-push.sh +26 -0
package/templates/hooks/python-pre-commit.sh +51 -0
package/templates/hooks/python-pre-push.sh +25 -0
package/templates/hooks/ruby-pre-commit.sh +33 -0
package/templates/hooks/ruby-pre-push.sh +32 -0
package/templates/hooks/rust-pre-commit.sh +30 -0
package/templates/hooks/rust-pre-push.sh +30 -0
package/templates/hooks/scala-pre-commit.sh +32 -0
package/templates/hooks/scala-pre-push.sh +24 -0
package/templates/hooks/swift-pre-commit.sh +25 -0
package/templates/hooks/swift-pre-push.sh +23 -0
package/templates/hooks/typescript-pre-commit.sh +37 -0
package/templates/hooks/typescript-pre-push.sh +36 -0
package/templates/ides/COPILOT.md +37 -0
package/templates/ides/CURSOR.md +43 -0
package/templates/ides/JETBRAINS_AI.md +35 -0
package/templates/ides/REPLIT.md +36 -0
package/templates/ides/TABNINE.md +29 -0
package/templates/ides/VSCODE.md +40 -0
package/templates/ides/WINDSURF.md +36 -0
package/templates/ides/ZED.md +32 -0
package/templates/languages/ADA.md +58 -0
package/templates/languages/C.md +333 -0
package/templates/languages/CPP.md +743 -0
package/templates/languages/CSHARP.md +417 -0
package/templates/languages/DART.md +332 -0
package/templates/languages/ELIXIR.md +454 -0
package/templates/languages/ERLANG.md +361 -0
package/templates/languages/GO.md +645 -0
package/templates/languages/HASKELL.md +177 -0
package/templates/languages/JAVA.md +607 -0
package/templates/languages/JAVASCRIPT.md +631 -0
package/templates/languages/JULIA.md +97 -0
package/templates/languages/KOTLIN.md +511 -0
package/templates/languages/LISP.md +100 -0
package/templates/languages/LUA.md +74 -0
package/templates/languages/OBJECTIVEC.md +90 -0
package/templates/languages/PHP.md +416 -0
package/templates/languages/PYTHON.md +682 -0
package/templates/languages/R.md +350 -0
package/templates/languages/RUBY.md +421 -0
package/templates/languages/RUST.md +477 -0
package/templates/languages/SAS.md +73 -0
package/templates/languages/SCALA.md +348 -0
package/templates/languages/SOLIDITY.md +580 -0
package/templates/languages/SQL.md +137 -0
package/templates/languages/SWIFT.md +466 -0
package/templates/languages/TYPESCRIPT.md +591 -0
package/templates/languages/ZIG.md +265 -0
package/templates/modules/ATLASSIAN.md +255 -0
package/templates/modules/CONTEXT7.md +54 -0
package/templates/modules/FIGMA.md +267 -0
package/templates/modules/GITHUB_MCP.md +64 -0
package/templates/modules/GRAFANA.md +328 -0
package/templates/modules/NOTION.md +247 -0
package/templates/modules/PLAYWRIGHT.md +90 -0
package/templates/modules/RULEBOOK_MCP.md +156 -0
package/templates/modules/SERENA.md +337 -0
package/templates/modules/SUPABASE.md +223 -0
package/templates/modules/SYNAP.md +69 -0
package/templates/modules/VECTORIZER.md +63 -0
package/templates/services/AZURE_BLOB.md +184 -0
package/templates/services/CASSANDRA.md +239 -0
package/templates/services/DYNAMODB.md +308 -0
package/templates/services/ELASTICSEARCH.md +347 -0
package/templates/services/GCS.md +178 -0
package/templates/services/INFLUXDB.md +265 -0
package/templates/services/KAFKA.md +341 -0
package/templates/services/MARIADB.md +183 -0
package/templates/services/MEMCACHED.md +242 -0
package/templates/services/MINIO.md +201 -0
package/templates/services/MONGODB.md +268 -0
package/templates/services/MYSQL.md +358 -0
package/templates/services/NEO4J.md +247 -0
package/templates/services/ORACLE.md +290 -0
package/templates/services/POSTGRESQL.md +326 -0
package/templates/services/RABBITMQ.md +286 -0
package/templates/services/REDIS.md +292 -0
package/templates/services/S3.md +298 -0
package/templates/services/SQLITE.md +294 -0
package/templates/services/SQLSERVER.md +294 -0
package/templates/workflows/codespell.yml +31 -0
package/templates/workflows/cpp-lint.yml +47 -0
package/templates/workflows/cpp-publish.yml +119 -0
package/templates/workflows/cpp-test.yml +77 -0
package/templates/workflows/dotnet-lint.yml +29 -0
package/templates/workflows/dotnet-publish.yml +40 -0
package/templates/workflows/dotnet-test.yml +41 -0
package/templates/workflows/elixir-lint.yml +45 -0
package/templates/workflows/elixir-publish.yml +49 -0
package/templates/workflows/elixir-test.yml +54 -0
package/templates/workflows/erlang-lint.yml +47 -0
package/templates/workflows/erlang-test.yml +62 -0
package/templates/workflows/go-lint.yml +39 -0
package/templates/workflows/go-publish.yml +95 -0
package/templates/workflows/go-test.yml +59 -0
package/templates/workflows/java-lint.yml +60 -0
package/templates/workflows/java-publish.yml +120 -0
package/templates/workflows/java-test.yml +85 -0
package/templates/workflows/kotlin-lint.yml +34 -0
package/templates/workflows/kotlin-publish.yml +56 -0
package/templates/workflows/kotlin-test.yml +48 -0
package/templates/workflows/php-lint.yml +39 -0
package/templates/workflows/php-publish.yml +50 -0
package/templates/workflows/php-test.yml +54 -0
package/templates/workflows/python-lint.yml +47 -0
package/templates/workflows/python-publish.yml +91 -0
package/templates/workflows/python-test.yml +59 -0
package/templates/workflows/rust-lint.yml +54 -0
package/templates/workflows/rust-publish.yml +66 -0
package/templates/workflows/rust-test.yml +75 -0
package/templates/workflows/solidity-lint.yml +41 -0
package/templates/workflows/solidity-test.yml +47 -0
package/templates/workflows/swift-lint.yml +32 -0
package/templates/workflows/swift-publish.yml +58 -0
package/templates/workflows/swift-test.yml +44 -0
package/templates/workflows/typescript-lint.yml +61 -0
package/templates/workflows/typescript-publish.yml +60 -0
package/templates/workflows/typescript-test.yml +73 -0
package/templates/workflows/zig-lint.yml +27 -0
package/templates/workflows/zig-test.yml +40 -0

package/templates/git/SECRETS_MANAGEMENT.md ADDED Viewed

@@ -0,0 +1,585 @@
+# Secrets Management in CI/CD
+This template provides best practices for securely managing secrets, API keys, tokens, and sensitive configuration in CI/CD pipelines.
+## Purpose
+Secure secrets management ensures:
+- No hardcoded credentials in code
+- Encrypted storage of sensitive data
+- Least-privilege access control
+- Audit trail of secret usage
+- Easy secret rotation
+## Core Principles
+### 1. **Never Commit Secrets to Version Control**
+**❌ Bad**:
+```javascript
+// NEVER do this
+const API_KEY = 'sk_live_abc123xyz';
+const DATABASE_URL = 'postgres://user:password@host/db';
+```
+**✅ Good**:
+```javascript
+// Use environment variables
+const API_KEY = process.env.API_KEY;
+const DATABASE_URL = process.env.DATABASE_URL;
+```
+### 2. **Use Platform Secret Stores**
+**Platforms**:
+- GitHub Actions: Repository/Organization secrets
+- GitLab CI: CI/CD variables
+- CircleCI: Environment variables (Project/Context)
+- Azure DevOps: Variable groups
+- AWS: Secrets Manager / Parameter Store
+### 3. **Apply Least Privilege**
+**Principle**: Grant minimum necessary access
+```yaml
+# Good: Environment-specific secrets
+production:
+  env:
+    API_KEY: ${{ secrets.PROD_API_KEY }}
+development:
+  env:
+    API_KEY: ${{ secrets.DEV_API_KEY }}
+```
+### 4. **Rotate Secrets Regularly**
+**Schedule**:
+- API keys: Every 90 days
+- Access tokens: Every 90 days
+- SSH keys: Every 180 days
+- Database passwords: Every 90 days
+## Platform-Specific Implementation
+### GitHub Actions
+#### Repository Secrets
+**Add via UI**:
+1. Repository → Settings → Secrets and variables → Actions
+2. New repository secret
+3. Name: `API_KEY`
+4. Value: `sk_live_abc123xyz`
+**Add via CLI**:
+```bash
+gh secret set API_KEY < api_key.txt
+# Or inline
+gh secret set API_KEY --body "sk_live_abc123xyz"
+```
+**Usage in Workflow**:
+```yaml
+jobs:
+  deploy:
+    steps:
+      - name: Deploy
+        run: ./deploy.sh
+        env:
+          API_KEY: ${{ secrets.API_KEY }}
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+```
+#### Organization Secrets
+**When to use**: Shared across multiple repositories
+```yaml
+# Available to all repos in org
+- name: Use org secret
+  env:
+    NPM_TOKEN: ${{ secrets.NPM_TOKEN }}  # Org-level secret
+```
+#### Environment Secrets
+**When to use**: Environment-specific secrets (production, staging)
+```yaml
+jobs:
+  deploy:production:
+    environment: production  # Uses production environment secrets
+    steps:
+      - run: deploy.sh
+        env:
+          API_KEY: ${{ secrets.API_KEY }}  # production-specific value
+```
+### GitLab CI
+#### CI/CD Variables
+**Add via UI**:
+1. Project → Settings → CI/CD → Variables
+2. Add variable
+3. Key: `API_KEY`
+4. Value: `sk_live_abc123xyz`
+5. Flags: ✓ Protect variable (main branch only), ✓ Mask variable
+**Usage in Pipeline**:
+```yaml
+deploy:
+  script:
+    - deploy.sh
+  variables:
+    API_KEY: ${{ secrets.API_KEY }}
+  only:
+    - main
+```
+#### File Variables
+**For multi-line secrets** (certificates, keys):
+```yaml
+deploy:
+  before_script:
+    - echo "$SSL_CERTIFICATE" > cert.pem
+    - chmod 600 cert.pem
+  script:
+    - use-certificate cert.pem
+```
+### CircleCI
+#### Project Environment Variables
+**Add via UI**:
+1. Project Settings → Environment Variables
+2. Add Variable
+3. Name: `API_KEY`, Value: `sk_live_abc123xyz`
+**Usage in Config**:
+```yaml
+jobs:
+  deploy:
+    steps:
+      - run:
+          command: deploy.sh
+          environment:
+            API_KEY: $API_KEY
+```
+#### Contexts (Organization Secrets)
+```yaml
+workflows:
+  deploy:
+    jobs:
+      - deploy:
+          context: production-secrets  # Shared secrets
+```
+## Secret Types and Patterns
+### 1. API Keys
+**Pattern**: Use environment-specific keys
+```yaml
+# development
+env:
+  STRIPE_KEY: ${{ secrets.STRIPE_TEST_KEY }}
+# production
+env:
+  STRIPE_KEY: ${{ secrets.STRIPE_LIVE_KEY }}
+```
+### 2. Database Credentials
+**Pattern**: Use connection strings with secrets
+```yaml
+env:
+  # Store entire connection string
+  DATABASE_URL: ${{ secrets.DATABASE_URL }}
+  # Or compose from parts
+  DB_HOST: ${{ secrets.DB_HOST }}
+  DB_USER: ${{ secrets.DB_USER }}
+  DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
+  DB_NAME: ${{ secrets.DB_NAME }}
+```
+**Script usage**:
+```bash
+# Use DATABASE_URL directly
+psql "$DATABASE_URL" -c "SELECT 1"
+# Or construct connection string
+psql "postgres://$DB_USER:$DB_PASSWORD@$DB_HOST/$DB_NAME"
+```
+### 3. SSH Keys
+**Pattern**: Add SSH key for deployments
+```yaml
+- name: Setup SSH key
+  run: |
+    mkdir -p ~/.ssh
+    echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+    chmod 600 ~/.ssh/id_rsa
+    ssh-keyscan ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts
+```
+### 4. Service Account Keys (JSON)
+**Pattern**: Store JSON credentials as secret
+```yaml
+- name: Authenticate with GCP
+  run: |
+    echo '${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}' > key.json
+    gcloud auth activate-service-account --key-file=key.json
+    rm key.json  # Clean up
+```
+### 5. Certificates (PEM/CRT)
+**Pattern**: Multi-line secret as file
+```yaml
+- name: Setup certificate
+  run: |
+    echo "${{ secrets.SSL_CERTIFICATE }}" > cert.pem
+    echo "${{ secrets.SSL_PRIVATE_KEY }}" > key.pem
+    chmod 600 *.pem
+```
+### 6. Signing Keys
+**Pattern**: Sign artifacts with secret key
+```yaml
+- name: Sign package
+  run: |
+    echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import
+    gpg --sign package.tar.gz
+```
+## Advanced Patterns
+### Pattern 1: Dynamic Secrets from Vault
+**Use Vault for dynamic, short-lived secrets**:
+```yaml
+- name: Get secrets from Vault
+  run: |
+    # Login to Vault
+    vault login -method=github token=${{ secrets.VAULT_TOKEN }}
+    # Get dynamic database credentials (expires in 1 hour)
+    export DB_USER=$(vault read -field=username database/creds/app)
+    export DB_PASSWORD=$(vault read -field=password database/creds/app)
+    # Use credentials
+    psql "postgres://$DB_USER:$DB_PASSWORD@$DB_HOST/$DB_NAME"
+```
+### Pattern 2: AWS Secrets Manager
+**Retrieve secrets at runtime**:
+```yaml
+- name: Configure AWS credentials
+  uses: aws-actions/configure-aws-credentials@v4
+  with:
+    role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+- name: Get secrets from AWS Secrets Manager
+  run: |
+    export API_KEY=$(aws secretsmanager get-secret-value \
+      --secret-id production/api-key \
+      --query SecretString \
+      --output text)
+    # Use API_KEY
+    curl -H "Authorization: Bearer $API_KEY" https://api.example.com
+```
+### Pattern 3: Google Secret Manager
+```yaml
+- name: Authenticate with GCP
+  uses: google-github-actions/auth@v2
+  with:
+    credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+- name: Get secrets
+  run: |
+    export DATABASE_URL=$(gcloud secrets versions access latest \
+      --secret="database-url")
+```
+### Pattern 4: OIDC/Federated Authentication
+**Passwordless authentication using OIDC** (GitHub Actions → AWS):
+```yaml
+- name: Configure AWS Credentials
+  uses: aws-actions/configure-aws-credentials@v4
+  with:
+    role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
+    aws-region: us-east-1
+    # No secrets needed! Uses OIDC token
+```
+**Benefits**:
+- No long-lived credentials
+- Automatic rotation
+- Fine-grained permissions
+## Security Best Practices
+### ✅ DO
+1. **Use Secret Scanning**
+   ```yaml
+   # Enable in GitHub: Settings → Code security and analysis
+   # Automatically detects committed secrets
+   ```
+2. **Mask Secrets in Logs**
+   ```yaml
+   # Secrets automatically masked in GitHub Actions logs
+   # Manually mask custom values:
+   - run: echo "::add-mask::$CUSTOM_VALUE"
+   ```
+3. **Use Separate Secrets Per Environment**
+   ```yaml
+   production:
+     env:
+       API_KEY: ${{ secrets.PROD_API_KEY }}
+   staging:
+     env:
+       API_KEY: ${{ secrets.STAGING_API_KEY }}
+   ```
+4. **Limit Secret Scope**
+   ```yaml
+   # GitHub: Only available to protected branches
+   # Settings → Secrets → Environment secrets → production
+   # ✓ Required reviewers
+   # ✓ Wait timer
+   ```
+5. **Audit Secret Usage**
+   ```yaml
+   # GitHub audit log shows:
+   # - Who accessed secrets
+   # - When secrets were used
+   # - Which workflows used secrets
+   ```
+6. **Rotate Secrets Regularly**
+   ```bash
+   # Automate rotation with cron job
+   0 0 1 * * rotate-secrets.sh  # Monthly
+   ```
+### ❌ DON'T
+1. **Don't Echo Secrets**
+   ```yaml
+   # Bad
+   - run: echo "API key is ${{ secrets.API_KEY }}"
+   # Good
+   - run: echo "API key configured"
+   ```
+2. **Don't Store Secrets in Code**
+   ```javascript
+   // Bad
+   const key = 'sk_live_abc123';
+   // Good
+   const key = process.env.API_KEY;
+   ```
+3. **Don't Use Secrets in PR Builds**
+   ```yaml
+   # Bad - secrets exposed to forks
+   on: pull_request
+   # Good - use pull_request_target with care
+   on:
+     pull_request_target:
+       types: [labeled]
+   jobs:
+     test:
+       if: github.event.label.name == 'safe-to-test'
+   ```
+4. **Don't Share Secrets Across Teams**
+   ```yaml
+   # Bad - everyone has prod access
+   env:
+     PROD_KEY: ${{ secrets.PROD_KEY }}
+   # Good - separate secrets per team/environment
+   ```
+5. **Don't Commit `.env` Files**
+   ```bash
+   # .gitignore
+   .env
+   .env.local
+   .env.*.local
+   **/.env
+   ```
+## Secret Rotation Strategy
+### Automated Rotation Process
+**1. Generate New Secret**:
+```bash
+# Script: rotate-api-key.sh
+NEW_KEY=$(generate-api-key.sh)
+# Update in secret store
+gh secret set API_KEY --body "$NEW_KEY"
+# Update in application
+update-application-config.sh "$NEW_KEY"
+```
+**2. Test New Secret**:
+```yaml
+- name: Test new secret
+  run: |
+    curl -H "Authorization: Bearer ${{ secrets.API_KEY }}" \
+      https://api.example.com/health
+```
+**3. Deactivate Old Secret**:
+```bash
+# After confirming new secret works
+deactivate-old-api-key.sh "$OLD_KEY"
+```
+### Rotation Checklist
+- [ ] Generate new secret
+- [ ] Update in CI/CD platform
+- [ ] Deploy with new secret
+- [ ] Verify functionality
+- [ ] Revoke old secret
+- [ ] Update documentation
+## Troubleshooting
+### Secret Not Available
+**Issue**: Workflow can't access secret
+**Solutions**:
+1. Check secret name matches exactly (case-sensitive)
+2. Verify workflow has permission to access secret
+3. Check if secret is environment-specific
+4. Ensure secret is not expired/deleted
+### Secret Masked Incorrectly
+**Issue**: Secret visible in logs
+**Solutions**:
+```yaml
+# Explicitly mask value
+- run: echo "::add-mask::$VALUE"
+# Check if secret contains special characters
+# - Secrets with spaces may not mask correctly
+# - Use quotes: echo "::add-mask::$SECRET"
+```
+### Secret Too Large
+**Issue**: Secret exceeds size limit
+**GitHub Limits**:
+- Secret value: 64 KB
+- Repository: 100 secrets
+- Organization: 1000 secrets
+**Solutions**:
+1. Split large secrets into multiple parts
+2. Store in external secret manager (Vault, AWS Secrets Manager)
+3. Use base64 encoding for binary data
+### Secret Rotation Breaks Deployment
+**Issue**: Old secret revoked before new one deployed
+**Solution**:
+```bash
+# Grace period approach
+1. Deploy new secret to CI/CD
+2. Deploy application with new secret
+3. Wait 24 hours (grace period)
+4. Revoke old secret
+```
+## Common Pitfalls
+1. **❌ Hardcoding secrets**: Always use environment variables
+2. **❌ Committing `.env`**: Add to `.gitignore`
+3. **❌ Using same secret everywhere**: Separate dev/staging/prod
+4. **❌ Never rotating secrets**: Set up automated rotation
+5. **❌ Logging secrets**: Mask sensitive values
+6. **❌ Sharing secrets insecurely**: Use secret management platform
+7. **❌ No audit trail**: Enable secret access logging
+## Integration with Rulebook
+If using `@hivehub/rulebook`, secret management patterns are enforced:
+```bash
+# Initialize with secret management best practices
+npx @hivehub/rulebook init
+# Creates:
+# - .env.example (template)
+# - .gitignore (excludes .env)
+# - Documentation on secret management
+```
+**`.env.example`**:
+```bash
+# API Keys
+API_KEY=your-api-key-here
+DATABASE_URL=postgres://user:password@localhost/db
+# AWS Credentials
+AWS_ACCESS_KEY_ID=your-access-key
+AWS_SECRET_ACCESS_KEY=your-secret-key
+# Note: Copy to .env and fill with actual values
+# .env is gitignored and should NEVER be committed
+```
+## Related Templates
+- See `/rulebook/GITHUB_ACTIONS.md` for GitHub Actions secrets
+- See `/rulebook/GITLAB_CI.md` for GitLab CI secrets
+- See `/rulebook/CI_CD_PATTERNS.md` for deployment patterns
+- See `/rulebook/GIT.md` for .gitignore patterns