npm - @hivehub/rulebook - Versions diffs - 4.2.2 → 4.3.1 - Mend

@hivehub/rulebook 4.2.2 → 4.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (340) hide show

package/.claude/commands/continue.md +33 -33
package/.claude/commands/ralph-config.md +112 -112
package/.claude/commands/ralph-history.md +110 -110
package/.claude/commands/ralph-init.md +72 -72
package/.claude/commands/ralph-pause-resume.md +105 -105
package/.claude/commands/ralph-run.md +101 -101
package/.claude/commands/ralph-status.md +76 -76
package/.claude/commands/rulebook-memory-save.md +48 -48
package/.claude/commands/rulebook-memory-search.md +47 -47
package/.claude/commands/rulebook-task-apply.md +67 -67
package/.claude/commands/rulebook-task-archive.md +70 -70
package/.claude/commands/rulebook-task-create.md +93 -93
package/.claude/commands/rulebook-task-list.md +42 -42
package/.claude/commands/rulebook-task-show.md +52 -52
package/.claude/commands/rulebook-task-validate.md +53 -53
package/.claude-plugin/marketplace.json +28 -28
package/.claude-plugin/plugin.json +8 -8
package/README.md +15 -1
package/dist/cli/commands.d.ts.map +1 -1
package/dist/cli/commands.js +43 -18
package/dist/cli/commands.js.map +1 -1
package/dist/core/claude-mcp.d.ts +10 -2
package/dist/core/claude-mcp.d.ts.map +1 -1
package/dist/core/claude-mcp.js +48 -9
package/dist/core/claude-mcp.js.map +1 -1
package/dist/core/config-manager.d.ts.map +1 -1
package/dist/core/config-manager.js +1 -2
package/dist/core/config-manager.js.map +1 -1
package/dist/core/generator.d.ts +13 -0
package/dist/core/generator.d.ts.map +1 -1
package/dist/core/generator.js +283 -28
package/dist/core/generator.js.map +1 -1
package/dist/core/indexer/background-indexer.d.ts.map +1 -1
package/dist/core/indexer/background-indexer.js +10 -3
package/dist/core/indexer/background-indexer.js.map +1 -1
package/dist/core/workspace/workspace-manager.d.ts.map +1 -1
package/dist/core/workspace/workspace-manager.js +2 -6
package/dist/core/workspace/workspace-manager.js.map +1 -1
package/dist/index.js +1 -3
package/dist/index.js.map +1 -1
package/dist/mcp/rulebook-server.d.ts.map +1 -1
package/dist/mcp/rulebook-server.js +23 -10
package/dist/mcp/rulebook-server.js.map +1 -1
package/package.json +21 -22
package/templates/agents/accessibility-reviewer.md +43 -0
package/templates/agents/api-designer.md +42 -0
package/templates/agents/architect.md +51 -0
package/templates/agents/build-engineer.md +36 -0
package/templates/agents/code-reviewer.md +47 -0
package/templates/agents/database-architect.md +41 -0
package/templates/agents/devops-engineer.md +42 -0
package/templates/agents/docs-writer.md +38 -0
package/templates/agents/i18n-engineer.md +42 -0
package/templates/agents/implementer.md +38 -35
package/templates/agents/migration-engineer.md +42 -0
package/templates/agents/performance-engineer.md +49 -0
package/templates/agents/refactoring-agent.md +41 -0
package/templates/agents/researcher.md +38 -34
package/templates/agents/security-reviewer.md +40 -0
package/templates/agents/team-lead.md +37 -34
package/templates/agents/tester.md +45 -42
package/templates/agents/ux-reviewer.md +43 -0
package/templates/ci/rulebook-review.yml +26 -26
package/templates/cli/AIDER.md +49 -49
package/templates/cli/AMAZON_Q.md +25 -25
package/templates/cli/AUGGIE.md +32 -32
package/templates/cli/CLAUDE.md +117 -117
package/templates/cli/CLINE.md +99 -99
package/templates/cli/CODEBUDDY.md +20 -20
package/templates/cli/CODEIUM.md +20 -20
package/templates/cli/CODEX.md +21 -21
package/templates/cli/CONTINUE.md +34 -34
package/templates/cli/CURSOR_CLI.md +62 -62
package/templates/cli/FACTORY.md +18 -18
package/templates/cli/GEMINI.md +35 -35
package/templates/cli/KILOCODE.md +18 -18
package/templates/cli/OPENCODE.md +18 -18
package/templates/cli/_GENERIC_TEMPLATE.md +29 -29
package/templates/commands/rulebook-memory-save.md +48 -48
package/templates/commands/rulebook-memory-search.md +47 -47
package/templates/commands/rulebook-task-apply.md +67 -67
package/templates/commands/rulebook-task-archive.md +94 -94
package/templates/commands/rulebook-task-create.md +93 -93
package/templates/commands/rulebook-task-list.md +42 -42
package/templates/commands/rulebook-task-show.md +52 -52
package/templates/commands/rulebook-task-validate.md +53 -53
package/templates/core/AGENTS_LEAN.md +25 -25
package/templates/core/AGENTS_OVERRIDE.md +16 -16
package/templates/core/AGENT_AUTOMATION.md +288 -288
package/templates/core/DAG.md +304 -304
package/templates/core/DOCUMENTATION_RULES.md +36 -36
package/templates/core/MULTI_AGENT.md +74 -74
package/templates/core/PLANS.md +28 -28
package/templates/core/QUALITY_ENFORCEMENT.md +68 -68
package/templates/core/RALPH.md +471 -471
package/templates/core/RULEBOOK.md +1935 -1935
package/templates/frameworks/ANGULAR.md +36 -36
package/templates/frameworks/DJANGO.md +83 -83
package/templates/frameworks/ELECTRON.md +147 -147
package/templates/frameworks/FLASK.md +38 -38
package/templates/frameworks/FLUTTER.md +55 -55
package/templates/frameworks/JQUERY.md +32 -32
package/templates/frameworks/LARAVEL.md +38 -38
package/templates/frameworks/NESTJS.md +43 -43
package/templates/frameworks/NEXTJS.md +127 -127
package/templates/frameworks/NUXT.md +40 -40
package/templates/frameworks/RAILS.md +66 -66
package/templates/frameworks/REACT.md +38 -38
package/templates/frameworks/REACT_NATIVE.md +47 -47
package/templates/frameworks/SPRING.md +39 -39
package/templates/frameworks/SYMFONY.md +36 -36
package/templates/frameworks/VUE.md +36 -36
package/templates/frameworks/ZEND.md +35 -35
package/templates/git/CI_CD_PATTERNS.md +661 -661
package/templates/git/GITHUB_ACTIONS.md +728 -728
package/templates/git/GITLAB_CI.md +730 -730
package/templates/git/GIT_WORKFLOW.md +1157 -1157
package/templates/git/SECRETS_MANAGEMENT.md +585 -585
package/templates/hooks/COMMIT_MSG.md +530 -530
package/templates/hooks/POST_CHECKOUT.md +546 -546
package/templates/hooks/PREPARE_COMMIT_MSG.md +619 -619
package/templates/hooks/PRE_COMMIT.md +414 -414
package/templates/hooks/PRE_PUSH.md +601 -601
package/templates/ides/CONTINUE_RULES.md +16 -16
package/templates/ides/COPILOT.md +37 -37
package/templates/ides/COPILOT_INSTRUCTIONS.md +23 -23
package/templates/ides/CURSOR.md +43 -43
package/templates/ides/GEMINI_RULES.md +17 -17
package/templates/ides/JETBRAINS_AI.md +35 -35
package/templates/ides/REPLIT.md +36 -36
package/templates/ides/TABNINE.md +29 -29
package/templates/ides/VSCODE.md +40 -40
package/templates/ides/WINDSURF.md +36 -36
package/templates/ides/WINDSURF_RULES.md +14 -14
package/templates/ides/ZED.md +32 -32
package/templates/ides/cursor-mdc/go.mdc +24 -24
package/templates/ides/cursor-mdc/python.mdc +24 -24
package/templates/ides/cursor-mdc/quality.mdc +25 -25
package/templates/ides/cursor-mdc/ralph.mdc +39 -39
package/templates/ides/cursor-mdc/rulebook.mdc +38 -38
package/templates/ides/cursor-mdc/rust.mdc +24 -24
package/templates/ides/cursor-mdc/typescript.mdc +25 -25
package/templates/languages/C.md +333 -333
package/templates/languages/CPP.md +743 -743
package/templates/languages/CSHARP.md +417 -417
package/templates/languages/ELIXIR.md +454 -454
package/templates/languages/ERLANG.md +361 -361
package/templates/languages/GO.md +645 -645
package/templates/languages/HASKELL.md +177 -177
package/templates/languages/JAVA.md +607 -607
package/templates/languages/JAVASCRIPT.md +631 -631
package/templates/languages/JULIA.md +97 -97
package/templates/languages/KOTLIN.md +511 -511
package/templates/languages/LISP.md +100 -100
package/templates/languages/LUA.md +74 -74
package/templates/languages/OBJECTIVEC.md +90 -90
package/templates/languages/PHP.md +416 -416
package/templates/languages/PYTHON.md +682 -682
package/templates/languages/RUBY.md +421 -421
package/templates/languages/RUST.md +477 -477
package/templates/languages/SAS.md +73 -73
package/templates/languages/SCALA.md +348 -348
package/templates/languages/SOLIDITY.md +580 -580
package/templates/languages/SQL.md +137 -137
package/templates/languages/SWIFT.md +466 -466
package/templates/languages/TYPESCRIPT.md +591 -591
package/templates/languages/ZIG.md +265 -265
package/templates/modules/ATLASSIAN.md +255 -255
package/templates/modules/CONTEXT7.md +54 -54
package/templates/modules/FIGMA.md +267 -267
package/templates/modules/GITHUB_MCP.md +64 -64
package/templates/modules/GRAFANA.md +328 -328
package/templates/modules/MEMORY.md +126 -126
package/templates/modules/NOTION.md +247 -247
package/templates/modules/PLAYWRIGHT.md +90 -90
package/templates/modules/RULEBOOK_MCP.md +156 -156
package/templates/modules/SERENA.md +337 -337
package/templates/modules/SUPABASE.md +223 -223
package/templates/modules/SYNAP.md +69 -69
package/templates/modules/VECTORIZER.md +63 -63
package/templates/modules/sequential-thinking.md +42 -42
package/templates/ralph/ralph-history.bat +4 -4
package/templates/ralph/ralph-history.sh +5 -5
package/templates/ralph/ralph-init.bat +5 -5
package/templates/ralph/ralph-init.sh +5 -5
package/templates/ralph/ralph-pause.bat +5 -5
package/templates/ralph/ralph-pause.sh +5 -5
package/templates/ralph/ralph-run.bat +5 -5
package/templates/ralph/ralph-run.sh +5 -5
package/templates/ralph/ralph-status.bat +4 -4
package/templates/ralph/ralph-status.sh +5 -5
package/templates/services/AZURE_BLOB.md +184 -184
package/templates/services/CASSANDRA.md +239 -239
package/templates/services/DATADOG.md +26 -26
package/templates/services/DOCKER.md +124 -124
package/templates/services/DOCKER_COMPOSE.md +168 -168
package/templates/services/DYNAMODB.md +308 -308
package/templates/services/ELASTICSEARCH.md +347 -347
package/templates/services/GCS.md +178 -178
package/templates/services/HELM.md +194 -194
package/templates/services/INFLUXDB.md +265 -265
package/templates/services/KAFKA.md +341 -341
package/templates/services/KUBERNETES.md +208 -208
package/templates/services/MARIADB.md +183 -183
package/templates/services/MEMCACHED.md +242 -242
package/templates/services/MINIO.md +201 -201
package/templates/services/MONGODB.md +268 -268
package/templates/services/MYSQL.md +358 -358
package/templates/services/NEO4J.md +247 -247
package/templates/services/OPENTELEMETRY.md +25 -25
package/templates/services/ORACLE.md +290 -290
package/templates/services/PINO.md +24 -24
package/templates/services/POSTGRESQL.md +326 -326
package/templates/services/PROMETHEUS.md +33 -33
package/templates/services/RABBITMQ.md +286 -286
package/templates/services/REDIS.md +292 -292
package/templates/services/S3.md +298 -298
package/templates/services/SENTRY.md +23 -23
package/templates/services/SQLITE.md +294 -294
package/templates/services/SQLSERVER.md +294 -294
package/templates/services/WINSTON.md +30 -30
package/templates/skills/cli/aider/SKILL.md +59 -59
package/templates/skills/cli/amazon-q/SKILL.md +35 -35
package/templates/skills/cli/auggie/SKILL.md +42 -42
package/templates/skills/cli/claude/SKILL.md +42 -42
package/templates/skills/cli/cline/SKILL.md +42 -42
package/templates/skills/cli/codebuddy/SKILL.md +30 -30
package/templates/skills/cli/codeium/SKILL.md +30 -30
package/templates/skills/cli/codex/SKILL.md +31 -31
package/templates/skills/cli/continue/SKILL.md +44 -44
package/templates/skills/cli/cursor-cli/SKILL.md +38 -38
package/templates/skills/cli/factory/SKILL.md +28 -28
package/templates/skills/cli/gemini/SKILL.md +45 -45
package/templates/skills/cli/kilocode/SKILL.md +28 -28
package/templates/skills/cli/opencode/SKILL.md +28 -28
package/templates/skills/core/agent-automation/SKILL.md +194 -194
package/templates/skills/core/dag/SKILL.md +314 -314
package/templates/skills/core/documentation-rules/SKILL.md +46 -46
package/templates/skills/core/quality-enforcement/SKILL.md +78 -78
package/templates/skills/core/rulebook/SKILL.md +176 -176
package/templates/skills/dev/accessibility/SKILL.md +17 -0
package/templates/skills/dev/api-design/SKILL.md +15 -0
package/templates/skills/dev/architect/SKILL.md +17 -0
package/templates/skills/dev/build-fix/SKILL.md +17 -0
package/templates/skills/dev/db-design/SKILL.md +15 -0
package/templates/skills/dev/debug/SKILL.md +16 -0
package/templates/skills/dev/deploy/SKILL.md +17 -0
package/templates/skills/dev/docs/SKILL.md +17 -0
package/templates/skills/dev/migrate/SKILL.md +15 -0
package/templates/skills/dev/perf/SKILL.md +17 -0
package/templates/skills/dev/refactor/SKILL.md +17 -0
package/templates/skills/dev/research/SKILL.md +14 -0
package/templates/skills/dev/review/SKILL.md +18 -0
package/templates/skills/dev/security-audit/SKILL.md +17 -0
package/templates/skills/frameworks/angular/SKILL.md +46 -46
package/templates/skills/frameworks/django/SKILL.md +93 -93
package/templates/skills/frameworks/electron/SKILL.md +157 -157
package/templates/skills/frameworks/flask/SKILL.md +48 -48
package/templates/skills/frameworks/flutter/SKILL.md +65 -65
package/templates/skills/frameworks/jquery/SKILL.md +42 -42
package/templates/skills/frameworks/laravel/SKILL.md +48 -48
package/templates/skills/frameworks/nestjs/SKILL.md +53 -53
package/templates/skills/frameworks/nextjs/SKILL.md +137 -137
package/templates/skills/frameworks/nuxt/SKILL.md +50 -50
package/templates/skills/frameworks/rails/SKILL.md +76 -76
package/templates/skills/frameworks/react/SKILL.md +48 -48
package/templates/skills/frameworks/react-native/SKILL.md +57 -57
package/templates/skills/frameworks/spring/SKILL.md +49 -49
package/templates/skills/frameworks/symfony/SKILL.md +46 -46
package/templates/skills/frameworks/vue/SKILL.md +46 -46
package/templates/skills/frameworks/zend/SKILL.md +45 -45
package/templates/skills/ides/copilot/SKILL.md +47 -47
package/templates/skills/ides/cursor/SKILL.md +53 -53
package/templates/skills/ides/jetbrains-ai/SKILL.md +45 -45
package/templates/skills/ides/replit/SKILL.md +46 -46
package/templates/skills/ides/tabnine/SKILL.md +39 -39
package/templates/skills/ides/vscode/SKILL.md +50 -50
package/templates/skills/ides/windsurf/SKILL.md +46 -46
package/templates/skills/ides/zed/SKILL.md +42 -42
package/templates/skills/languages/c/SKILL.md +343 -343
package/templates/skills/languages/cpp/SKILL.md +753 -753
package/templates/skills/languages/csharp/SKILL.md +427 -427
package/templates/skills/languages/elixir/SKILL.md +464 -464
package/templates/skills/languages/erlang/SKILL.md +371 -371
package/templates/skills/languages/go/SKILL.md +655 -655
package/templates/skills/languages/haskell/SKILL.md +187 -187
package/templates/skills/languages/java/SKILL.md +617 -617
package/templates/skills/languages/javascript/SKILL.md +641 -641
package/templates/skills/languages/julia/SKILL.md +107 -107
package/templates/skills/languages/kotlin/SKILL.md +521 -521
package/templates/skills/languages/lisp/SKILL.md +110 -110
package/templates/skills/languages/lua/SKILL.md +84 -84
package/templates/skills/languages/objectivec/SKILL.md +100 -100
package/templates/skills/languages/php/SKILL.md +426 -426
package/templates/skills/languages/python/SKILL.md +692 -692
package/templates/skills/languages/ruby/SKILL.md +431 -431
package/templates/skills/languages/rust/SKILL.md +487 -487
package/templates/skills/languages/sas/SKILL.md +83 -83
package/templates/skills/languages/scala/SKILL.md +358 -358
package/templates/skills/languages/solidity/SKILL.md +590 -590
package/templates/skills/languages/sql/SKILL.md +147 -147
package/templates/skills/languages/swift/SKILL.md +476 -476
package/templates/skills/languages/typescript/SKILL.md +302 -302
package/templates/skills/languages/zig/SKILL.md +275 -275
package/templates/skills/modules/atlassian/SKILL.md +265 -265
package/templates/skills/modules/context7/SKILL.md +64 -64
package/templates/skills/modules/figma/SKILL.md +277 -277
package/templates/skills/modules/github-mcp/SKILL.md +74 -74
package/templates/skills/modules/grafana/SKILL.md +338 -338
package/templates/skills/modules/memory/SKILL.md +73 -73
package/templates/skills/modules/notion/SKILL.md +257 -257
package/templates/skills/modules/playwright/SKILL.md +100 -100
package/templates/skills/modules/rulebook-mcp/SKILL.md +166 -166
package/templates/skills/modules/serena/SKILL.md +347 -347
package/templates/skills/modules/supabase/SKILL.md +233 -233
package/templates/skills/modules/synap/SKILL.md +79 -79
package/templates/skills/modules/vectorizer/SKILL.md +73 -73
package/templates/skills/services/azure-blob/SKILL.md +194 -194
package/templates/skills/services/cassandra/SKILL.md +249 -249
package/templates/skills/services/dynamodb/SKILL.md +318 -318
package/templates/skills/services/elasticsearch/SKILL.md +357 -357
package/templates/skills/services/gcs/SKILL.md +188 -188
package/templates/skills/services/influxdb/SKILL.md +275 -275
package/templates/skills/services/kafka/SKILL.md +351 -351
package/templates/skills/services/mariadb/SKILL.md +193 -193
package/templates/skills/services/memcached/SKILL.md +252 -252
package/templates/skills/services/minio/SKILL.md +211 -211
package/templates/skills/services/mongodb/SKILL.md +278 -278
package/templates/skills/services/mysql/SKILL.md +368 -368
package/templates/skills/services/neo4j/SKILL.md +257 -257
package/templates/skills/services/oracle/SKILL.md +300 -300
package/templates/skills/services/postgresql/SKILL.md +336 -336
package/templates/skills/services/rabbitmq/SKILL.md +296 -296
package/templates/skills/services/redis/SKILL.md +302 -302
package/templates/skills/services/s3/SKILL.md +308 -308
package/templates/skills/services/sqlite/SKILL.md +304 -304
package/templates/skills/services/sqlserver/SKILL.md +304 -304
package/templates/skills/workflows/ralph/SKILL.md +309 -309
package/templates/skills/workflows/ralph/install.sh +87 -87
package/templates/skills/workflows/ralph/manifest.json +158 -158

package/templates/git/SECRETS_MANAGEMENT.md CHANGED Viewed

@@ -1,585 +1,585 @@
-# Secrets Management in CI/CD
-This template provides best practices for securely managing secrets, API keys, tokens, and sensitive configuration in CI/CD pipelines.
-## Purpose
-Secure secrets management ensures:
-- No hardcoded credentials in code
-- Encrypted storage of sensitive data
-- Least-privilege access control
-- Audit trail of secret usage
-- Easy secret rotation
-## Core Principles
-### 1. **Never Commit Secrets to Version Control**
-**❌ Bad**:
-```javascript
-// NEVER do this
-const API_KEY = 'sk_live_abc123xyz';
-const DATABASE_URL = 'postgres://user:password@host/db';
-```
-**✅ Good**:
-```javascript
-// Use environment variables
-const API_KEY = process.env.API_KEY;
-const DATABASE_URL = process.env.DATABASE_URL;
-```
-### 2. **Use Platform Secret Stores**
-**Platforms**:
-- GitHub Actions: Repository/Organization secrets
-- GitLab CI: CI/CD variables
-- CircleCI: Environment variables (Project/Context)
-- Azure DevOps: Variable groups
-- AWS: Secrets Manager / Parameter Store
-### 3. **Apply Least Privilege**
-**Principle**: Grant minimum necessary access
-```yaml
-# Good: Environment-specific secrets
-production:
-  env:
-    API_KEY: ${{ secrets.PROD_API_KEY }}
-development:
-  env:
-    API_KEY: ${{ secrets.DEV_API_KEY }}
-```
-### 4. **Rotate Secrets Regularly**
-**Schedule**:
-- API keys: Every 90 days
-- Access tokens: Every 90 days
-- SSH keys: Every 180 days
-- Database passwords: Every 90 days
-## Platform-Specific Implementation
-### GitHub Actions
-#### Repository Secrets
-**Add via UI**:
-1. Repository → Settings → Secrets and variables → Actions
-2. New repository secret
-3. Name: `API_KEY`
-4. Value: `sk_live_abc123xyz`
-**Add via CLI**:
-```bash
-gh secret set API_KEY < api_key.txt
-# Or inline
-gh secret set API_KEY --body "sk_live_abc123xyz"
-```
-**Usage in Workflow**:
-```yaml
-jobs:
-  deploy:
-    steps:
-      - name: Deploy
-        run: ./deploy.sh
-        env:
-          API_KEY: ${{ secrets.API_KEY }}
-          DATABASE_URL: ${{ secrets.DATABASE_URL }}
-```
-#### Organization Secrets
-**When to use**: Shared across multiple repositories
-```yaml
-# Available to all repos in org
-- name: Use org secret
-  env:
-    NPM_TOKEN: ${{ secrets.NPM_TOKEN }}  # Org-level secret
-```
-#### Environment Secrets
-**When to use**: Environment-specific secrets (production, staging)
-```yaml
-jobs:
-  deploy:production:
-    environment: production  # Uses production environment secrets
-    steps:
-      - run: deploy.sh
-        env:
-          API_KEY: ${{ secrets.API_KEY }}  # production-specific value
-```
-### GitLab CI
-#### CI/CD Variables
-**Add via UI**:
-1. Project → Settings → CI/CD → Variables
-2. Add variable
-3. Key: `API_KEY`
-4. Value: `sk_live_abc123xyz`
-5. Flags: ✓ Protect variable (main branch only), ✓ Mask variable
-**Usage in Pipeline**:
-```yaml
-deploy:
-  script:
-    - deploy.sh
-  variables:
-    API_KEY: ${{ secrets.API_KEY }}
-  only:
-    - main
-```
-#### File Variables
-**For multi-line secrets** (certificates, keys):
-```yaml
-deploy:
-  before_script:
-    - echo "$SSL_CERTIFICATE" > cert.pem
-    - chmod 600 cert.pem
-  script:
-    - use-certificate cert.pem
-```
-### CircleCI
-#### Project Environment Variables
-**Add via UI**:
-1. Project Settings → Environment Variables
-2. Add Variable
-3. Name: `API_KEY`, Value: `sk_live_abc123xyz`
-**Usage in Config**:
-```yaml
-jobs:
-  deploy:
-    steps:
-      - run:
-          command: deploy.sh
-          environment:
-            API_KEY: $API_KEY
-```
-#### Contexts (Organization Secrets)
-```yaml
-workflows:
-  deploy:
-    jobs:
-      - deploy:
-          context: production-secrets  # Shared secrets
-```
-## Secret Types and Patterns
-### 1. API Keys
-**Pattern**: Use environment-specific keys
-```yaml
-# development
-env:
-  STRIPE_KEY: ${{ secrets.STRIPE_TEST_KEY }}
-# production
-env:
-  STRIPE_KEY: ${{ secrets.STRIPE_LIVE_KEY }}
-```
-### 2. Database Credentials
-**Pattern**: Use connection strings with secrets
-```yaml
-env:
-  # Store entire connection string
-  DATABASE_URL: ${{ secrets.DATABASE_URL }}
-  # Or compose from parts
-  DB_HOST: ${{ secrets.DB_HOST }}
-  DB_USER: ${{ secrets.DB_USER }}
-  DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
-  DB_NAME: ${{ secrets.DB_NAME }}
-```
-**Script usage**:
-```bash
-# Use DATABASE_URL directly
-psql "$DATABASE_URL" -c "SELECT 1"
-# Or construct connection string
-psql "postgres://$DB_USER:$DB_PASSWORD@$DB_HOST/$DB_NAME"
-```
-### 3. SSH Keys
-**Pattern**: Add SSH key for deployments
-```yaml
-- name: Setup SSH key
-  run: |
-    mkdir -p ~/.ssh
-    echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
-    chmod 600 ~/.ssh/id_rsa
-    ssh-keyscan ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts
-```
-### 4. Service Account Keys (JSON)
-**Pattern**: Store JSON credentials as secret
-```yaml
-- name: Authenticate with GCP
-  run: |
-    echo '${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}' > key.json
-    gcloud auth activate-service-account --key-file=key.json
-    rm key.json  # Clean up
-```
-### 5. Certificates (PEM/CRT)
-**Pattern**: Multi-line secret as file
-```yaml
-- name: Setup certificate
-  run: |
-    echo "${{ secrets.SSL_CERTIFICATE }}" > cert.pem
-    echo "${{ secrets.SSL_PRIVATE_KEY }}" > key.pem
-    chmod 600 *.pem
-```
-### 6. Signing Keys
-**Pattern**: Sign artifacts with secret key
-```yaml
-- name: Sign package
-  run: |
-    echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import
-    gpg --sign package.tar.gz
-```
-## Advanced Patterns
-### Pattern 1: Dynamic Secrets from Vault
-**Use Vault for dynamic, short-lived secrets**:
-```yaml
-- name: Get secrets from Vault
-  run: |
-    # Login to Vault
-    vault login -method=github token=${{ secrets.VAULT_TOKEN }}
-    # Get dynamic database credentials (expires in 1 hour)
-    export DB_USER=$(vault read -field=username database/creds/app)
-    export DB_PASSWORD=$(vault read -field=password database/creds/app)
-    # Use credentials
-    psql "postgres://$DB_USER:$DB_PASSWORD@$DB_HOST/$DB_NAME"
-```
-### Pattern 2: AWS Secrets Manager
-**Retrieve secrets at runtime**:
-```yaml
-- name: Configure AWS credentials
-  uses: aws-actions/configure-aws-credentials@v4
-  with:
-    role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
-- name: Get secrets from AWS Secrets Manager
-  run: |
-    export API_KEY=$(aws secretsmanager get-secret-value \
-      --secret-id production/api-key \
-      --query SecretString \
-      --output text)
-    # Use API_KEY
-    curl -H "Authorization: Bearer $API_KEY" https://api.example.com
-```
-### Pattern 3: Google Secret Manager
-```yaml
-- name: Authenticate with GCP
-  uses: google-github-actions/auth@v2
-  with:
-    credentials_json: ${{ secrets.GCP_CREDENTIALS }}
-- name: Get secrets
-  run: |
-    export DATABASE_URL=$(gcloud secrets versions access latest \
-      --secret="database-url")
-```
-### Pattern 4: OIDC/Federated Authentication
-**Passwordless authentication using OIDC** (GitHub Actions → AWS):
-```yaml
-- name: Configure AWS Credentials
-  uses: aws-actions/configure-aws-credentials@v4
-  with:
-    role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
-    aws-region: us-east-1
-    # No secrets needed! Uses OIDC token
-```
-**Benefits**:
-- No long-lived credentials
-- Automatic rotation
-- Fine-grained permissions
-## Security Best Practices
-### ✅ DO
-1. **Use Secret Scanning**
-   ```yaml
-   # Enable in GitHub: Settings → Code security and analysis
-   # Automatically detects committed secrets
-   ```
-2. **Mask Secrets in Logs**
-   ```yaml
-   # Secrets automatically masked in GitHub Actions logs
-   # Manually mask custom values:
-   - run: echo "::add-mask::$CUSTOM_VALUE"
-   ```
-3. **Use Separate Secrets Per Environment**
-   ```yaml
-   production:
-     env:
-       API_KEY: ${{ secrets.PROD_API_KEY }}
-   staging:
-     env:
-       API_KEY: ${{ secrets.STAGING_API_KEY }}
-   ```
-4. **Limit Secret Scope**
-   ```yaml
-   # GitHub: Only available to protected branches
-   # Settings → Secrets → Environment secrets → production
-   # ✓ Required reviewers
-   # ✓ Wait timer
-   ```
-5. **Audit Secret Usage**
-   ```yaml
-   # GitHub audit log shows:
-   # - Who accessed secrets
-   # - When secrets were used
-   # - Which workflows used secrets
-   ```
-6. **Rotate Secrets Regularly**
-   ```bash
-   # Automate rotation with cron job
-   0 0 1 * * rotate-secrets.sh  # Monthly
-   ```
-### ❌ DON'T
-1. **Don't Echo Secrets**
-   ```yaml
-   # Bad
-   - run: echo "API key is ${{ secrets.API_KEY }}"
-   # Good
-   - run: echo "API key configured"
-   ```
-2. **Don't Store Secrets in Code**
-   ```javascript
-   // Bad
-   const key = 'sk_live_abc123';
-   // Good
-   const key = process.env.API_KEY;
-   ```
-3. **Don't Use Secrets in PR Builds**
-   ```yaml
-   # Bad - secrets exposed to forks
-   on: pull_request
-   # Good - use pull_request_target with care
-   on:
-     pull_request_target:
-       types: [labeled]
-   jobs:
-     test:
-       if: github.event.label.name == 'safe-to-test'
-   ```
-4. **Don't Share Secrets Across Teams**
-   ```yaml
-   # Bad - everyone has prod access
-   env:
-     PROD_KEY: ${{ secrets.PROD_KEY }}
-   # Good - separate secrets per team/environment
-   ```
-5. **Don't Commit `.env` Files**
-   ```bash
-   # .gitignore
-   .env
-   .env.local
-   .env.*.local
-   **/.env
-   ```
-## Secret Rotation Strategy
-### Automated Rotation Process
-**1. Generate New Secret**:
-```bash
-# Script: rotate-api-key.sh
-NEW_KEY=$(generate-api-key.sh)
-# Update in secret store
-gh secret set API_KEY --body "$NEW_KEY"
-# Update in application
-update-application-config.sh "$NEW_KEY"
-```
-**2. Test New Secret**:
-```yaml
-- name: Test new secret
-  run: |
-    curl -H "Authorization: Bearer ${{ secrets.API_KEY }}" \
-      https://api.example.com/health
-```
-**3. Deactivate Old Secret**:
-```bash
-# After confirming new secret works
-deactivate-old-api-key.sh "$OLD_KEY"
-```
-### Rotation Checklist
-- [ ] Generate new secret
-- [ ] Update in CI/CD platform
-- [ ] Deploy with new secret
-- [ ] Verify functionality
-- [ ] Revoke old secret
-- [ ] Update documentation
-## Troubleshooting
-### Secret Not Available
-**Issue**: Workflow can't access secret
-**Solutions**:
-1. Check secret name matches exactly (case-sensitive)
-2. Verify workflow has permission to access secret
-3. Check if secret is environment-specific
-4. Ensure secret is not expired/deleted
-### Secret Masked Incorrectly
-**Issue**: Secret visible in logs
-**Solutions**:
-```yaml
-# Explicitly mask value
-- run: echo "::add-mask::$VALUE"
-# Check if secret contains special characters
-# - Secrets with spaces may not mask correctly
-# - Use quotes: echo "::add-mask::$SECRET"
-```
-### Secret Too Large
-**Issue**: Secret exceeds size limit
-**GitHub Limits**:
-- Secret value: 64 KB
-- Repository: 100 secrets
-- Organization: 1000 secrets
-**Solutions**:
-1. Split large secrets into multiple parts
-2. Store in external secret manager (Vault, AWS Secrets Manager)
-3. Use base64 encoding for binary data
-### Secret Rotation Breaks Deployment
-**Issue**: Old secret revoked before new one deployed
-**Solution**:
-```bash
-# Grace period approach
-1. Deploy new secret to CI/CD
-2. Deploy application with new secret
-3. Wait 24 hours (grace period)
-4. Revoke old secret
-```
-## Common Pitfalls
-1. **❌ Hardcoding secrets**: Always use environment variables
-2. **❌ Committing `.env`**: Add to `.gitignore`
-3. **❌ Using same secret everywhere**: Separate dev/staging/prod
-4. **❌ Never rotating secrets**: Set up automated rotation
-5. **❌ Logging secrets**: Mask sensitive values
-6. **❌ Sharing secrets insecurely**: Use secret management platform
-7. **❌ No audit trail**: Enable secret access logging
-## Integration with Rulebook
-If using `@hivehub/rulebook`, secret management patterns are enforced:
-```bash
-# Initialize with secret management best practices
-npx @hivehub/rulebook init
-# Creates:
-# - .env.example (template)
-# - .gitignore (excludes .env)
-# - Documentation on secret management
-```
-**`.env.example`**:
-```bash
-# API Keys
-API_KEY=your-api-key-here
-DATABASE_URL=postgres://user:password@localhost/db
-# AWS Credentials
-AWS_ACCESS_KEY_ID=your-access-key
-AWS_SECRET_ACCESS_KEY=your-secret-key
-# Note: Copy to .env and fill with actual values
-# .env is gitignored and should NEVER be committed
-```
-## Related Templates
-- See `/.rulebook/specs/GITHUB_ACTIONS.md` for GitHub Actions secrets
-- See `/.rulebook/specs/GITLAB_CI.md` for GitLab CI secrets
-- See `/.rulebook/specs/CI_CD_PATTERNS.md` for deployment patterns
-- See `/.rulebook/specs/GIT.md` for .gitignore patterns
+# Secrets Management in CI/CD
+This template provides best practices for securely managing secrets, API keys, tokens, and sensitive configuration in CI/CD pipelines.
+## Purpose
+Secure secrets management ensures:
+- No hardcoded credentials in code
+- Encrypted storage of sensitive data
+- Least-privilege access control
+- Audit trail of secret usage
+- Easy secret rotation
+## Core Principles
+### 1. **Never Commit Secrets to Version Control**
+**❌ Bad**:
+```javascript
+// NEVER do this
+const API_KEY = 'sk_live_abc123xyz';
+const DATABASE_URL = 'postgres://user:password@host/db';
+```
+**✅ Good**:
+```javascript
+// Use environment variables
+const API_KEY = process.env.API_KEY;
+const DATABASE_URL = process.env.DATABASE_URL;
+```
+### 2. **Use Platform Secret Stores**
+**Platforms**:
+- GitHub Actions: Repository/Organization secrets
+- GitLab CI: CI/CD variables
+- CircleCI: Environment variables (Project/Context)
+- Azure DevOps: Variable groups
+- AWS: Secrets Manager / Parameter Store
+### 3. **Apply Least Privilege**
+**Principle**: Grant minimum necessary access
+```yaml
+# Good: Environment-specific secrets
+production:
+  env:
+    API_KEY: ${{ secrets.PROD_API_KEY }}
+development:
+  env:
+    API_KEY: ${{ secrets.DEV_API_KEY }}
+```
+### 4. **Rotate Secrets Regularly**
+**Schedule**:
+- API keys: Every 90 days
+- Access tokens: Every 90 days
+- SSH keys: Every 180 days
+- Database passwords: Every 90 days
+## Platform-Specific Implementation
+### GitHub Actions
+#### Repository Secrets
+**Add via UI**:
+1. Repository → Settings → Secrets and variables → Actions
+2. New repository secret
+3. Name: `API_KEY`
+4. Value: `sk_live_abc123xyz`
+**Add via CLI**:
+```bash
+gh secret set API_KEY < api_key.txt
+# Or inline
+gh secret set API_KEY --body "sk_live_abc123xyz"
+```
+**Usage in Workflow**:
+```yaml
+jobs:
+  deploy:
+    steps:
+      - name: Deploy
+        run: ./deploy.sh
+        env:
+          API_KEY: ${{ secrets.API_KEY }}
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+```
+#### Organization Secrets
+**When to use**: Shared across multiple repositories
+```yaml
+# Available to all repos in org
+- name: Use org secret
+  env:
+    NPM_TOKEN: ${{ secrets.NPM_TOKEN }}  # Org-level secret
+```
+#### Environment Secrets
+**When to use**: Environment-specific secrets (production, staging)
+```yaml
+jobs:
+  deploy:production:
+    environment: production  # Uses production environment secrets
+    steps:
+      - run: deploy.sh
+        env:
+          API_KEY: ${{ secrets.API_KEY }}  # production-specific value
+```
+### GitLab CI
+#### CI/CD Variables
+**Add via UI**:
+1. Project → Settings → CI/CD → Variables
+2. Add variable
+3. Key: `API_KEY`
+4. Value: `sk_live_abc123xyz`
+5. Flags: ✓ Protect variable (main branch only), ✓ Mask variable
+**Usage in Pipeline**:
+```yaml
+deploy:
+  script:
+    - deploy.sh
+  variables:
+    API_KEY: ${{ secrets.API_KEY }}
+  only:
+    - main
+```
+#### File Variables
+**For multi-line secrets** (certificates, keys):
+```yaml
+deploy:
+  before_script:
+    - echo "$SSL_CERTIFICATE" > cert.pem
+    - chmod 600 cert.pem
+  script:
+    - use-certificate cert.pem
+```
+### CircleCI
+#### Project Environment Variables
+**Add via UI**:
+1. Project Settings → Environment Variables
+2. Add Variable
+3. Name: `API_KEY`, Value: `sk_live_abc123xyz`
+**Usage in Config**:
+```yaml
+jobs:
+  deploy:
+    steps:
+      - run:
+          command: deploy.sh
+          environment:
+            API_KEY: $API_KEY
+```
+#### Contexts (Organization Secrets)
+```yaml
+workflows:
+  deploy:
+    jobs:
+      - deploy:
+          context: production-secrets  # Shared secrets
+```
+## Secret Types and Patterns
+### 1. API Keys
+**Pattern**: Use environment-specific keys
+```yaml
+# development
+env:
+  STRIPE_KEY: ${{ secrets.STRIPE_TEST_KEY }}
+# production
+env:
+  STRIPE_KEY: ${{ secrets.STRIPE_LIVE_KEY }}
+```
+### 2. Database Credentials
+**Pattern**: Use connection strings with secrets
+```yaml
+env:
+  # Store entire connection string
+  DATABASE_URL: ${{ secrets.DATABASE_URL }}
+  # Or compose from parts
+  DB_HOST: ${{ secrets.DB_HOST }}
+  DB_USER: ${{ secrets.DB_USER }}
+  DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
+  DB_NAME: ${{ secrets.DB_NAME }}
+```
+**Script usage**:
+```bash
+# Use DATABASE_URL directly
+psql "$DATABASE_URL" -c "SELECT 1"
+# Or construct connection string
+psql "postgres://$DB_USER:$DB_PASSWORD@$DB_HOST/$DB_NAME"
+```
+### 3. SSH Keys
+**Pattern**: Add SSH key for deployments
+```yaml
+- name: Setup SSH key
+  run: |
+    mkdir -p ~/.ssh
+    echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+    chmod 600 ~/.ssh/id_rsa
+    ssh-keyscan ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts
+```
+### 4. Service Account Keys (JSON)
+**Pattern**: Store JSON credentials as secret
+```yaml
+- name: Authenticate with GCP
+  run: |
+    echo '${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}' > key.json
+    gcloud auth activate-service-account --key-file=key.json
+    rm key.json  # Clean up
+```
+### 5. Certificates (PEM/CRT)
+**Pattern**: Multi-line secret as file
+```yaml
+- name: Setup certificate
+  run: |
+    echo "${{ secrets.SSL_CERTIFICATE }}" > cert.pem
+    echo "${{ secrets.SSL_PRIVATE_KEY }}" > key.pem
+    chmod 600 *.pem
+```
+### 6. Signing Keys
+**Pattern**: Sign artifacts with secret key
+```yaml
+- name: Sign package
+  run: |
+    echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import
+    gpg --sign package.tar.gz
+```
+## Advanced Patterns
+### Pattern 1: Dynamic Secrets from Vault
+**Use Vault for dynamic, short-lived secrets**:
+```yaml
+- name: Get secrets from Vault
+  run: |
+    # Login to Vault
+    vault login -method=github token=${{ secrets.VAULT_TOKEN }}
+    # Get dynamic database credentials (expires in 1 hour)
+    export DB_USER=$(vault read -field=username database/creds/app)
+    export DB_PASSWORD=$(vault read -field=password database/creds/app)
+    # Use credentials
+    psql "postgres://$DB_USER:$DB_PASSWORD@$DB_HOST/$DB_NAME"
+```
+### Pattern 2: AWS Secrets Manager
+**Retrieve secrets at runtime**:
+```yaml
+- name: Configure AWS credentials
+  uses: aws-actions/configure-aws-credentials@v4
+  with:
+    role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+- name: Get secrets from AWS Secrets Manager
+  run: |
+    export API_KEY=$(aws secretsmanager get-secret-value \
+      --secret-id production/api-key \
+      --query SecretString \
+      --output text)
+    # Use API_KEY
+    curl -H "Authorization: Bearer $API_KEY" https://api.example.com
+```
+### Pattern 3: Google Secret Manager
+```yaml
+- name: Authenticate with GCP
+  uses: google-github-actions/auth@v2
+  with:
+    credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+- name: Get secrets
+  run: |
+    export DATABASE_URL=$(gcloud secrets versions access latest \
+      --secret="database-url")
+```
+### Pattern 4: OIDC/Federated Authentication
+**Passwordless authentication using OIDC** (GitHub Actions → AWS):
+```yaml
+- name: Configure AWS Credentials
+  uses: aws-actions/configure-aws-credentials@v4
+  with:
+    role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
+    aws-region: us-east-1
+    # No secrets needed! Uses OIDC token
+```
+**Benefits**:
+- No long-lived credentials
+- Automatic rotation
+- Fine-grained permissions
+## Security Best Practices
+### ✅ DO
+1. **Use Secret Scanning**
+   ```yaml
+   # Enable in GitHub: Settings → Code security and analysis
+   # Automatically detects committed secrets
+   ```
+2. **Mask Secrets in Logs**
+   ```yaml
+   # Secrets automatically masked in GitHub Actions logs
+   # Manually mask custom values:
+   - run: echo "::add-mask::$CUSTOM_VALUE"
+   ```
+3. **Use Separate Secrets Per Environment**
+   ```yaml
+   production:
+     env:
+       API_KEY: ${{ secrets.PROD_API_KEY }}
+   staging:
+     env:
+       API_KEY: ${{ secrets.STAGING_API_KEY }}
+   ```
+4. **Limit Secret Scope**
+   ```yaml
+   # GitHub: Only available to protected branches
+   # Settings → Secrets → Environment secrets → production
+   # ✓ Required reviewers
+   # ✓ Wait timer
+   ```
+5. **Audit Secret Usage**
+   ```yaml
+   # GitHub audit log shows:
+   # - Who accessed secrets
+   # - When secrets were used
+   # - Which workflows used secrets
+   ```
+6. **Rotate Secrets Regularly**
+   ```bash
+   # Automate rotation with cron job
+   0 0 1 * * rotate-secrets.sh  # Monthly
+   ```
+### ❌ DON'T
+1. **Don't Echo Secrets**
+   ```yaml
+   # Bad
+   - run: echo "API key is ${{ secrets.API_KEY }}"
+   # Good
+   - run: echo "API key configured"
+   ```
+2. **Don't Store Secrets in Code**
+   ```javascript
+   // Bad
+   const key = 'sk_live_abc123';
+   // Good
+   const key = process.env.API_KEY;
+   ```
+3. **Don't Use Secrets in PR Builds**
+   ```yaml
+   # Bad - secrets exposed to forks
+   on: pull_request
+   # Good - use pull_request_target with care
+   on:
+     pull_request_target:
+       types: [labeled]
+   jobs:
+     test:
+       if: github.event.label.name == 'safe-to-test'
+   ```
+4. **Don't Share Secrets Across Teams**
+   ```yaml
+   # Bad - everyone has prod access
+   env:
+     PROD_KEY: ${{ secrets.PROD_KEY }}
+   # Good - separate secrets per team/environment
+   ```
+5. **Don't Commit `.env` Files**
+   ```bash
+   # .gitignore
+   .env
+   .env.local
+   .env.*.local
+   **/.env
+   ```
+## Secret Rotation Strategy
+### Automated Rotation Process
+**1. Generate New Secret**:
+```bash
+# Script: rotate-api-key.sh
+NEW_KEY=$(generate-api-key.sh)
+# Update in secret store
+gh secret set API_KEY --body "$NEW_KEY"
+# Update in application
+update-application-config.sh "$NEW_KEY"
+```
+**2. Test New Secret**:
+```yaml
+- name: Test new secret
+  run: |
+    curl -H "Authorization: Bearer ${{ secrets.API_KEY }}" \
+      https://api.example.com/health
+```
+**3. Deactivate Old Secret**:
+```bash
+# After confirming new secret works
+deactivate-old-api-key.sh "$OLD_KEY"
+```
+### Rotation Checklist
+- [ ] Generate new secret
+- [ ] Update in CI/CD platform
+- [ ] Deploy with new secret
+- [ ] Verify functionality
+- [ ] Revoke old secret
+- [ ] Update documentation
+## Troubleshooting
+### Secret Not Available
+**Issue**: Workflow can't access secret
+**Solutions**:
+1. Check secret name matches exactly (case-sensitive)
+2. Verify workflow has permission to access secret
+3. Check if secret is environment-specific
+4. Ensure secret is not expired/deleted
+### Secret Masked Incorrectly
+**Issue**: Secret visible in logs
+**Solutions**:
+```yaml
+# Explicitly mask value
+- run: echo "::add-mask::$VALUE"
+# Check if secret contains special characters
+# - Secrets with spaces may not mask correctly
+# - Use quotes: echo "::add-mask::$SECRET"
+```
+### Secret Too Large
+**Issue**: Secret exceeds size limit
+**GitHub Limits**:
+- Secret value: 64 KB
+- Repository: 100 secrets
+- Organization: 1000 secrets
+**Solutions**:
+1. Split large secrets into multiple parts
+2. Store in external secret manager (Vault, AWS Secrets Manager)
+3. Use base64 encoding for binary data
+### Secret Rotation Breaks Deployment
+**Issue**: Old secret revoked before new one deployed
+**Solution**:
+```bash
+# Grace period approach
+1. Deploy new secret to CI/CD
+2. Deploy application with new secret
+3. Wait 24 hours (grace period)
+4. Revoke old secret
+```
+## Common Pitfalls
+1. **❌ Hardcoding secrets**: Always use environment variables
+2. **❌ Committing `.env`**: Add to `.gitignore`
+3. **❌ Using same secret everywhere**: Separate dev/staging/prod
+4. **❌ Never rotating secrets**: Set up automated rotation
+5. **❌ Logging secrets**: Mask sensitive values
+6. **❌ Sharing secrets insecurely**: Use secret management platform
+7. **❌ No audit trail**: Enable secret access logging
+## Integration with Rulebook
+If using `@hivehub/rulebook`, secret management patterns are enforced:
+```bash
+# Initialize with secret management best practices
+npx @hivehub/rulebook init
+# Creates:
+# - .env.example (template)
+# - .gitignore (excludes .env)
+# - Documentation on secret management
+```
+**`.env.example`**:
+```bash
+# API Keys
+API_KEY=your-api-key-here
+DATABASE_URL=postgres://user:password@localhost/db
+# AWS Credentials
+AWS_ACCESS_KEY_ID=your-access-key
+AWS_SECRET_ACCESS_KEY=your-secret-key
+# Note: Copy to .env and fill with actual values
+# .env is gitignored and should NEVER be committed
+```
+## Related Templates
+- See `/.rulebook/specs/GITHUB_ACTIONS.md` for GitHub Actions secrets
+- See `/.rulebook/specs/GITLAB_CI.md` for GitLab CI secrets
+- See `/.rulebook/specs/CI_CD_PATTERNS.md` for deployment patterns
+- See `/.rulebook/specs/GIT.md` for .gitignore patterns