@palettelab/cli 0.3.29 → 0.3.31

package/README.md

@@ -224,7 +224,8 @@ Declare database ownership in `palette-plugin.json`:
 }
 ```
 
-Define org-scoped models with the backend SDK:
+Define org-scoped models with the backend SDK. Table names must start with the
+app prefix (`my_app__` for `my-app`):
 
 ```python
 from sqlalchemy import String
@@ -232,7 +233,7 @@ from sqlalchemy.orm import Mapped, mapped_column
 from palette_sdk import OrgScopedTable
 
 class Invoice(OrgScopedTable):
-    __tablename__ = "invoices"
+    __tablename__ = "my_app__invoices"
 
     id: Mapped[int] = mapped_column(primary_key=True)
     customer_name: Mapped[str] = mapped_column(String(255))
@@ -245,7 +246,7 @@ from palette_sdk.db import ensure_org_rls
 
 def upgrade():
     op.create_table(...)
-    ensure_org_rls(op, "invoices")
+    ensure_org_rls(op, "my_app__invoices")
 ```
 
 Use `ctx.repo(Model)` for org-safe CRUD:
@@ -440,6 +441,36 @@ Environment variables:
 | `PALETTE_DEV_DATABASE_URL` | `.palette/dev/<plugin-id>.sqlite3` | Override the local dev database URL |
 | `APPSTORE_AUTO_APPROVE_SANDBOX_PREVIEWS` | `false` | Backend setting for hosted sandboxes; auto-approve passing preview publishes so developers can test full OS behavior without manual review |
 
+### `pltt secrets`
+
+Palette secrets are declared in `palette-plugin.json` and resolved through
+`ctx.secret("NAME")`.
+
+```json
+{
+  "secrets": {
+    "OPENAI_API_KEY": { "scope": "install", "required": true },
+    "STRIPE_SECRET": { "scope": "plugin", "required": true },
+    "DEBUG_PROBE_URL": { "scope": "dev", "required": false }
+  },
+  "platform_services": ["llm", "kv", "storage"]
+}
+```
+
+Commands:
+
+```bash
+pltt secrets init
+pltt secrets set STRIPE_SECRET --env staging --value sk_live_...
+pltt secrets list --env staging
+pltt publish --env staging --secrets-file plugin-secrets.env
+```
+
+`dev` secrets live in `.palette/.env.local`, are loaded by `pltt dev`, and are
+never uploaded. `plugin` secrets are encrypted by the platform and attached to
+the plugin/environment. `install` secrets are filled by the installing org.
+Frontend bundles may only receive public values such as `NEXT_PUBLIC_*`.
+
 ### `pltt login`
 
 Save a Palette sandbox or production environment URL plus token in `~/.palette/config.json` with file mode `0600`. Environment variables still override the stored token when present.

package/backend-sdk/palette_sdk/__init__.py

@@ -1,7 +1,7 @@
 """Palette Platform SDK for building backend plugins."""
 
 from palette_sdk.plugin_router import PluginRouter
-from palette_sdk.plugin_context import PluginContext, get_plugin_context
+from palette_sdk.plugin_context import MissingSecretError, PluginContext, get_plugin_context
 from palette_sdk.data_rooms import DataRoomsClient
 from palette_sdk.repository import OrgRepository
 from palette_sdk.lifecycle import LifecycleHooks
@@ -12,7 +12,14 @@ from palette_sdk.schemas import (
     ErrorResponse,
     PaginatedResponse,
 )
-from palette_sdk.db import OrgScopedTable, PluginBase, ensure_org_rls
+from palette_sdk.db import (
+    OrgScopedTable,
+    PluginBase,
+    ensure_org_rls,
+    plugin_safe_id,
+    plugin_schema,
+    plugin_table_prefix,
+)
 from palette_sdk.permissions import (
     KNOWN_PERMISSIONS,
     is_known_permission,
@@ -26,6 +33,7 @@ from palette_sdk.testing import route_permission_issues
 __all__ = [
     "PluginRouter",
     "PluginContext",
+    "MissingSecretError",
     "get_plugin_context",
     "DataRoomsClient",
     "OrgRepository",
@@ -39,6 +47,9 @@ __all__ = [
     "OrgScopedTable",
     "PluginBase",
     "ensure_org_rls",
+    "plugin_safe_id",
+    "plugin_schema",
+    "plugin_table_prefix",
     "KNOWN_PERMISSIONS",
     "is_known_permission",
     "require_permission",

package/backend-sdk/palette_sdk/db/__init__.py

@@ -12,7 +12,7 @@ Typical plugin usage:
     from sqlalchemy.orm import Mapped, mapped_column
 
     class Expense(OrgScopedTable):
-        __tablename__ = "expenses"
+        __tablename__ = "my_app__expenses"
         title: Mapped[str] = mapped_column(String(200))
         amount_cents: Mapped[int]
 
@@ -23,16 +23,29 @@ Typical plugin usage:
 
     def upgrade():
         op.create_table(
-            "expenses",
+            "my_app__expenses",
             sa.Column("id", sa.Integer, primary_key=True),
             sa.Column("organization_id", sa.BigInteger, nullable=False, index=True),
             sa.Column("title", sa.String(200), nullable=False),
             sa.Column("amount_cents", sa.Integer, nullable=False),
         )
-        ensure_org_rls(op, "expenses")
+        ensure_org_rls(op, "my_app__expenses")
 """
 
-from palette_sdk.db.base import OrgScopedTable, PluginBase
+from palette_sdk.db.base import (
+    OrgScopedTable,
+    PluginBase,
+    plugin_safe_id,
+    plugin_schema,
+    plugin_table_prefix,
+)
 from palette_sdk.db.rls import ensure_org_rls
 
-__all__ = ["OrgScopedTable", "PluginBase", "ensure_org_rls"]
+__all__ = [
+    "OrgScopedTable",
+    "PluginBase",
+    "ensure_org_rls",
+    "plugin_safe_id",
+    "plugin_schema",
+    "plugin_table_prefix",
+]

package/backend-sdk/palette_sdk/db/base.py

@@ -11,6 +11,23 @@ from sqlalchemy import BigInteger, Index
 from sqlalchemy.orm import DeclarativeBase, Mapped, declared_attr, mapped_column
 
 
+def plugin_safe_id(plugin_id: str) -> str:
+    """Return the DB-safe form of a plugin id."""
+    import re
+
+    return re.sub(r"[^a-z0-9_]", "_", plugin_id.lower())
+
+
+def plugin_schema(plugin_id: str) -> str:
+    """Return the Postgres schema name owned by a plugin."""
+    return f"app_{plugin_safe_id(plugin_id)}"
+
+
+def plugin_table_prefix(plugin_id: str) -> str:
+    """Return the required table-name prefix for plugin-owned tables."""
+    return f"{plugin_safe_id(plugin_id)}__"
+
+
 class PluginBase(DeclarativeBase):
     """Declarative base for plugin models.
 

package/backend-sdk/palette_sdk/manifest.py

@@ -6,7 +6,7 @@ import json
 from pathlib import Path
 from typing import Literal
 
-from pydantic import BaseModel, Field
+from pydantic import BaseModel, ConfigDict, Field
 
 
 class AgentDefinition(BaseModel):
@@ -73,6 +73,21 @@ class RateLimit(BaseModel):
     per_minute: int = 60
 
 
+class SecretSpec(BaseModel):
+    model_config = ConfigDict(populate_by_name=True)
+
+    scope: Literal["dev", "plugin", "install", "platform"] | list[Literal["dev", "plugin", "install", "platform"]] = "dev"
+    required: bool = False
+    label: str | None = None
+    help: str | None = None
+    validate_pattern: str | None = Field(default=None, alias="validate")
+
+
+class PlatformServiceSpec(BaseModel):
+    required: bool = False
+    billing: Literal["org_wallet", "plugin_owner", "platform"] | None = None
+
+
 class PluginManifest(BaseModel):
     """Validated plugin manifest from palette-plugin.json."""
 
@@ -97,6 +112,8 @@ class PluginManifest(BaseModel):
     agents: list[AgentDefinition] = Field(default_factory=list)
     tools: list[ToolEntry] = Field(default_factory=list)
     permissions: list[str] = Field(default_factory=list)
+    secrets: dict[str, SecretSpec] = Field(default_factory=dict)
+    platform_services: list[Literal["llm", "kv", "storage"]] | dict[str, PlatformServiceSpec] = Field(default_factory=list)
     rating: float = 0.0
     reviews: int = 0
     featured: bool = False

package/backend-sdk/palette_sdk/plugin_context.py

@@ -13,6 +13,10 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from palette_sdk.data_rooms import DataRoomsClient
 
 
+class MissingSecretError(KeyError):
+    """Raised when a declared required plugin secret is not configured."""
+
+
 @dataclass
 class PluginContext:
     """Context provided to plugin endpoints by the platform.
@@ -63,6 +67,15 @@ class PluginContext:
         secrets = self.config.get("secrets")
         if isinstance(secrets, dict) and key in secrets:
             return secrets[key]
+        specs = self.config.get("secret_specs")
+        spec = specs.get(key) if isinstance(specs, dict) else None
+        if isinstance(spec, dict):
+            if default is not None:
+                return default
+            if spec.get("required"):
+                help_text = spec.get("help") or spec.get("label") or "Configure this secret before using the plugin."
+                raise MissingSecretError(f"missing plugin secret {key}: {help_text}")
+            return default
         return os.environ.get(key, default)
 
     def repo(self, model: type[Any]):

package/docs/python-backend-sdk.md

@@ -183,7 +183,7 @@ from palette_sdk import OrgScopedTable
 
 
 class Invoice(OrgScopedTable):
-    __tablename__ = "invoices"
+    __tablename__ = "finance_tools__invoices"
 
     id: Mapped[int] = mapped_column(primary_key=True)
     customer_name: Mapped[str] = mapped_column(String(255), nullable=False)
@@ -191,8 +191,10 @@ class Invoice(OrgScopedTable):
     status: Mapped[str] = mapped_column(String(32), default="draft")
 ```
 
-`OrgScopedTable` adds `organization_id` automatically. Do not manually set
-`organization_id` in route code; `ctx.repo(Model)` handles it.
+`OrgScopedTable` adds `organization_id` automatically. Table names must start
+with the app prefix (`finance_tools__` for `finance-tools`) so app-owned data is
+easy to identify and validate. Do not manually set `organization_id` in route
+code; `ctx.repo(Model)` handles it.
 
 ### Migration Example
 
@@ -210,22 +212,22 @@ down_revision = None
 
 def upgrade():
     op.create_table(
-        "invoices",
+        "finance_tools__invoices",
         sa.Column("id", sa.Integer(), primary_key=True),
         sa.Column("organization_id", sa.BigInteger(), nullable=False),
         sa.Column("customer_name", sa.String(length=255), nullable=False),
         sa.Column("amount", sa.Numeric(12, 2), nullable=False),
         sa.Column("status", sa.String(length=32), nullable=False),
     )
-    op.create_index("ix_invoices_org", "invoices", ["organization_id"])
-    ensure_org_rls(op, "invoices")
+    op.create_index("ix_finance_tools__invoices_org", "finance_tools__invoices", ["organization_id"])
+    ensure_org_rls(op, "finance_tools__invoices")
 
 
 def downgrade():
-    op.drop_table("invoices")
+    op.drop_table("finance_tools__invoices")
 ```
 
-`ensure_org_rls(op, "invoices")` enables row-level security so each
+`ensure_org_rls(op, "finance_tools__invoices")` enables row-level security so each
 organization can only access its own rows.
 
 ## 7. Repository CRUD
@@ -476,8 +478,32 @@ async def sync_config(ctx: PluginContext = Depends(get_plugin_context)):
     }
 ```
 
-`ctx.secret("KEY")` first checks app config secrets and then falls back to the
-process environment variable named `KEY`.
+Declare secret ownership in `palette-plugin.json`:
+
+```json
+{
+  "secrets": {
+    "FINANCE_API_KEY": {
+      "scope": "install",
+      "required": true,
+      "help": "Provided by the installing organization."
+    },
+    "AUTHOR_STRIPE_SECRET": {
+      "scope": "plugin",
+      "required": true
+    },
+    "DEBUG_PROBE_URL": {
+      "scope": "dev",
+      "required": false
+    }
+  }
+}
+```
+
+`ctx.secret("KEY")` resolves declared secrets from the configured scope:
+install config, plugin-scope encrypted secrets, or local `.palette/.env.local`
+during `pltt dev`. Undeclared keys still fall back to the process environment
+for local compatibility.
 
 ## 10. Lifecycle Hooks
 

package/lib/cli.js

@@ -10,6 +10,7 @@ const login = require("./commands/login")
 const pkg = require("./commands/package")
 const status = require("./commands/status")
 const logs = require("./commands/logs")
+const secrets = require("./commands/secrets")
 
 const COMMANDS = {
   init: { run: init, help: "Scaffold a new plugin directory from the template" },
@@ -41,6 +42,10 @@ const COMMANDS = {
     run: logs,
     help: "Tail telemetry events for a plugin (--follow to stream)",
   },
+  secrets: {
+    run: secrets,
+    help: "Initialize local env files and manage plugin-scope secrets",
+  },
 }
 
 function printHelp() {
@@ -68,6 +73,10 @@ function printHelp() {
   console.log("\nLogs flags:")
   console.log("  --tail <n>       Tail last n events (default 50)")
   console.log("  -f, --follow     Stream events (poll every 3s)")
+  console.log("\nSecrets:")
+  console.log("  pltt secrets init")
+  console.log("  pltt secrets set NAME --value <secret> --env staging")
+  console.log("  pltt secrets list --env staging")
   console.log("\nExamples:")
   console.log("  pltt init my-app --template database")
   console.log("  pltt login --env staging --url https://sandbox.pltt.ai --token <token>")
@@ -78,6 +87,7 @@ function printHelp() {
   console.log("  pltt publish --env staging")
   console.log("  pltt status")
   console.log("  pltt logs --follow")
+  console.log("  pltt secrets init")
 }
 
 async function run(argv) {

package/lib/commands/build.js

@@ -19,9 +19,35 @@ const BANNED_PATTERNS = [
   { re: /\bDROP\s+SCHEMA\b/i, reason: "DROP SCHEMA is not allowed in plugin migrations" },
 ]
 
-function lintMigrationFile(absPath) {
+function pluginSafeId(pluginId) {
+  return String(pluginId || "").toLowerCase().replace(/[^a-z0-9_]/g, "_")
+}
+
+function pluginSchema(pluginId) {
+  return `app_${pluginSafeId(pluginId)}`
+}
+
+function pluginTablePrefix(pluginId) {
+  return `${pluginSafeId(pluginId)}__`
+}
+
+function crossPluginSchemaRefs(src, allowedSchema) {
+  if (!allowedSchema) return []
+  const refs = new Set()
+  const re = /(^|[^a-z0-9_])"?((?:app)_[a-z0-9_]+)"?\s*\./gi
+  let match
+  while ((match = re.exec(src)) !== null) {
+    const schema = match[2].toLowerCase()
+    if (schema !== allowedSchema) refs.add(schema)
+  }
+  return [...refs].sort()
+}
+
+function lintMigrationFile(absPath, pluginId) {
   const issues = []
   const src = fs.readFileSync(absPath, "utf8")
+  const requiredPrefix = pluginId ? pluginTablePrefix(pluginId) : null
+  const allowedSchema = pluginId ? pluginSchema(pluginId) : null
 
   for (const { re, reason } of BANNED_PATTERNS) {
     if (re.test(src)) {
@@ -29,12 +55,16 @@ function lintMigrationFile(absPath) {
     }
   }
 
+  for (const schema of crossPluginSchemaRefs(src, allowedSchema)) {
+    issues.push(`${path.basename(absPath)}: plugin migrations must not reference another app schema (${schema})`)
+  }
+
   // Every op.create_table("foo", ...) in the file must have a matching
   // ensure_org_rls(op, "foo") somewhere in the same file. Caveat: this is a
   // cheap syntactic check, not a full AST walk. If your table name is dynamic
   // or your migration is unusual, you can silence the check by adding the
   // magic comment `# palette:rls-ok` on the same logical migration.
-  if (/#\s*palette:rls-ok\b/.test(src)) return issues
+  const skipRlsCheck = /#\s*palette:rls-ok\b/.test(src)
 
   const tableNames = new Set()
   const createTableRe = /op\.create_table\(\s*['"]([a-zA-Z_][a-zA-Z0-9_]*)['"]/g
@@ -44,8 +74,13 @@ function lintMigrationFile(absPath) {
   }
 
   for (const name of tableNames) {
+    if (requiredPrefix && !name.startsWith(requiredPrefix)) {
+      issues.push(
+        `${path.basename(absPath)}: create_table("${name}") must use the app table prefix "${requiredPrefix}"`,
+      )
+    }
     const rlsRe = new RegExp(`ensure_org_rls\\(\\s*op\\s*,\\s*['"]${name}['"]`)
-    if (!rlsRe.test(src)) {
+    if (!skipRlsCheck && !rlsRe.test(src)) {
       issues.push(
         `${path.basename(absPath)}: create_table("${name}") is missing ensure_org_rls(op, "${name}"). ` +
           `Inherit from OrgScopedTable and call ensure_org_rls, or mark the migration with # palette:rls-ok if the table is intentionally global.`,
@@ -56,7 +91,7 @@ function lintMigrationFile(absPath) {
   return issues
 }
 
-function lintMigrationsDir(migrationsDir) {
+function lintMigrationsDir(migrationsDir, pluginId) {
   const errors = []
   const versionsDir = path.join(migrationsDir, "versions")
   if (!fs.existsSync(versionsDir)) {
@@ -66,7 +101,7 @@ function lintMigrationsDir(migrationsDir) {
   for (const entry of fs.readdirSync(versionsDir)) {
     if (!entry.endsWith(".py")) continue
     const abs = path.join(versionsDir, entry)
-    errors.push(...lintMigrationFile(abs))
+    errors.push(...lintMigrationFile(abs, pluginId))
   }
   return errors
 }
@@ -92,7 +127,7 @@ async function run(args, { cwd }) {
     } else if (!fs.existsSync(path.join(migrationsAbs, "env.py"))) {
       errors.push(`database.migrations directory is missing env.py: ${migrationsRel}`)
     } else {
-      errors.push(...lintMigrationsDir(migrationsAbs))
+      errors.push(...lintMigrationsDir(migrationsAbs, manifest.id))
     }
   }
 
@@ -107,3 +142,4 @@ async function run(args, { cwd }) {
 module.exports = run
 module.exports.lintMigrationsDir = lintMigrationsDir
 module.exports.lintMigrationFile = lintMigrationFile
+module.exports.pluginTablePrefix = pluginTablePrefix

package/lib/commands/dev.js

@@ -7,6 +7,7 @@ const { watchFrontend } = require("../bundler")
 const { parseFlags } = require("../environments")
 const { resolveDevPorts } = require("../ports")
 const { startSimulator } = require("../dev-simulator")
+const { loadLocalEnv } = require("../secrets")
 const publish = require("./publish")
 
 const DEFAULT_PLATFORM_IMAGE = "ghcr.io/palette-lab/platform-dev:latest"
@@ -78,6 +79,7 @@ async function run(args, { cwd }) {
   const { flags, rest } = parseFlags(args)
   const cloud = rest.includes("--cloud") || rest.includes("--sandbox")
   const platform = rest.includes("--platform")
+  loadLocalEnv(cwd)
   if (cloud) {
     const json = args.includes("--json")
     const publishArgs = []

package/lib/commands/doctor.js

@@ -6,6 +6,7 @@ const { spawnSync } = require("child_process")
 const { loadManifest, validateManifest } = require("../manifest")
 const { bundleFrontend } = require("../bundler")
 const { resolveDevPorts } = require("../ports")
+const { declaredSecrets, loadLocalEnv } = require("../secrets")
 
 const DEFAULT_IMAGE =
   process.env.PALETTE_DEV_IMAGE || "ghcr.io/palette-lab/platform-dev:latest"
@@ -120,6 +121,25 @@ async function run(args, { cwd }) {
       failures += checkEntry(cwd, `tool[${tool.name}]`, tool.entry)
     }
 
+    const secrets = declaredSecrets(manifest)
+    const localSecrets = loadLocalEnv(cwd, { apply: false })
+    if (Object.keys(secrets).length === 0) {
+      ok("no manifest secrets declared")
+    } else {
+      ok(`manifest declares ${Object.keys(secrets).length} secret(s)`)
+      for (const [name, spec] of Object.entries(secrets)) {
+        if (spec.scope.includes("dev") && !localSecrets[name]) {
+          warn(`local dev secret missing: ${name}`, "Run pltt secrets init and fill .palette/.env.local.")
+        }
+        if (spec.scope.includes("plugin") && spec.required && !localSecrets[name] && !process.env[name]) {
+          warn(
+            `plugin secret missing locally: ${name}`,
+            "Set an env var, pass --secrets-file to publish, or run pltt secrets set after first publish.",
+          )
+        }
+      }
+    }
+
     if (manifest.frontend?.entry) {
       try {
         const bundle = await bundleFrontend(cwd, manifest.frontend.entry, manifest.frontend)

package/lib/commands/init.js

@@ -4,6 +4,7 @@ const fs = require("fs")
 const path = require("path")
 const { spawnSync } = require("child_process")
 const os = require("os")
+const { initLocalEnv } = require("../secrets")
 
 const DEFAULT_TEMPLATE_REPO = "palette-lab/plugin-template"
 const TEMPLATE_REPO = process.env.PALETTE_TEMPLATE_REPO || DEFAULT_TEMPLATE_REPO
@@ -19,6 +20,10 @@ function toSlug(name) {
     .replace(/^-|-$/g, "")
 }
 
+function toDbSafeId(pluginId) {
+  return pluginId.toLowerCase().replace(/[^a-z0-9_]/g, "_")
+}
+
 function fetchTemplate(destDir) {
   const git = spawnSync(
     "git",
@@ -69,11 +74,16 @@ function rewriteScaffold(destDir, slug, displayName) {
   if (!fs.existsSync(manifestPath)) return
   const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"))
   const originalId = manifest.id
+  const originalDbSafeId = originalId ? toDbSafeId(originalId) : null
+  const nextDbSafeId = toDbSafeId(slug)
   if (originalId && originalId !== slug) {
     walkFiles(destDir, (filePath) => {
       try {
         const before = fs.readFileSync(filePath, "utf8")
-        const after = before.split(originalId).join(slug)
+        let after = before.split(originalId).join(slug)
+        if (originalDbSafeId && originalDbSafeId !== nextDbSafeId) {
+          after = after.split(originalDbSafeId).join(nextDbSafeId)
+        }
         if (after !== before) fs.writeFileSync(filePath, after)
       } catch (_err) {
         // Ignore non-text files. Templates are expected to be text, but this
@@ -85,7 +95,7 @@ function rewriteScaffold(destDir, slug, displayName) {
   rewrittenManifest.id = slug
   rewrittenManifest.name = displayName
   if (rewrittenManifest.database?.schema) {
-    rewrittenManifest.database.schema = `app_${slug.replace(/-/g, "_")}`
+    rewrittenManifest.database.schema = `app_${nextDbSafeId}`
   }
   fs.writeFileSync(manifestPath, JSON.stringify(rewrittenManifest, null, 2) + "\n")
 }
@@ -156,6 +166,12 @@ async function run(args, { cwd }) {
   fs.cpSync(tmp, destDir, { recursive: true })
   fs.rmSync(tmp, { recursive: true, force: true })
   rewriteScaffold(destDir, slug, displayName)
+  try {
+    const manifest = JSON.parse(fs.readFileSync(path.join(destDir, "palette-plugin.json"), "utf8"))
+    initLocalEnv(destDir, manifest)
+  } catch (_err) {
+    // The scaffold is still usable; `pltt secrets init` can repair env files.
+  }
 
   console.log(`[pltt] created ${destDir}`)
   console.log("[pltt] next steps:")

package/lib/commands/publish.js

@@ -11,6 +11,13 @@ const {
   parseFlags,
   confirmProduction,
 } = require("../environments")
+const {
+  declaredSecrets,
+  loadLocalEnv,
+  parseDotEnv,
+  readDotEnvFile,
+  redactValue,
+} = require("../secrets")
 
 function sha256(buf) {
   return crypto.createHash("sha256").update(buf).digest("hex")
@@ -77,6 +84,43 @@ async function put(url, buf, contentType) {
   }
 }
 
+function collectPluginSecrets(cwd, manifest, env, flags, log) {
+  const declared = declaredSecrets(manifest)
+  const pluginSecrets = Object.entries(declared).filter(([, spec]) => spec.scope.includes("plugin"))
+  const devRequired = Object.entries(declared).filter(([, spec]) => spec.scope.includes("dev") && spec.required)
+  if (devRequired.length) {
+    log(
+      `[pltt]   dev-only secrets are not uploaded: ${devRequired.map(([name]) => name).join(", ")}`,
+    )
+  }
+
+  let fileValues = {}
+  if (flags.secretsFile) {
+    fileValues = parseDotEnv(fs.readFileSync(path.resolve(cwd, flags.secretsFile), "utf8"))
+  }
+  const localValues = readDotEnvFile(path.join(cwd, ".palette", ".env.local"))
+  const values = {}
+  const missing = []
+  for (const [name, spec] of pluginSecrets) {
+    const value = fileValues[name] ?? process.env[name] ?? localValues[name]
+    if (value) {
+      values[name] = value
+      continue
+    }
+    if (spec.required) missing.push(name)
+  }
+  if (missing.length) {
+    throw new Error(
+      `missing required plugin-scope secret(s): ${missing.join(", ")}. ` +
+        `Set env vars, pass --secrets-file, or run pltt secrets set <NAME> --env ${env.name}.`,
+    )
+  }
+  for (const [name, value] of Object.entries(values)) {
+    log(`[pltt]   plugin secret ${name}=${redactValue(value)} (${env.name})`)
+  }
+  return values
+}
+
 async function run(argv, { cwd }) {
   const { flags } = parseFlags(argv)
   const log = (...args) => {
@@ -109,6 +153,7 @@ async function run(argv, { cwd }) {
   }
 
   const manifest = loadManifest(cwd)
+  loadLocalEnv(cwd)
   const errors = validateManifest(manifest)
   if (errors.length) {
     console.error("[pltt] manifest invalid:")
@@ -137,6 +182,13 @@ async function run(argv, { cwd }) {
 
   const backendSha = sha256(backend)
   const api = makeApi(env)
+  let pluginSecrets = {}
+  try {
+    pluginSecrets = collectPluginSecrets(cwd, manifest, env, flags, log)
+  } catch (err) {
+    console.error(`[pltt] ${err instanceof Error ? err.message : String(err)}`)
+    process.exit(1)
+  }
 
   log("[pltt]   requesting signed URLs")
   const signed = await api("/api/v1/appstore/sign-upload", {
@@ -169,7 +221,9 @@ async function run(argv, { cwd }) {
     bundle_path: signed.bundle_path,
     bundle_sha256: backendSha,
     manifest,
+    environment: env.name,
   }
+  if (Object.keys(pluginSecrets).length) publishBody.plugin_secrets = pluginSecrets
   if (Number.isFinite(flags.ttlHours) && flags.ttlHours > 0) {
     publishBody.preview_ttl_hours = flags.ttlHours
   }

package/lib/commands/secrets.js

@@ -0,0 +1,124 @@
+"use strict"
+
+const fs = require("fs")
+const path = require("path")
+const { loadManifest } = require("../manifest")
+const { parseFlags, resolveEnvironment } = require("../environments")
+const {
+  declaredSecrets,
+  initLocalEnv,
+  parseDotEnv,
+  readDotEnvFile,
+  redactValue,
+} = require("../secrets")
+
+function parseOwnFlags(argv) {
+  const out = { value: undefined, secretsFile: undefined }
+  const rest = []
+  for (let i = 0; i < argv.length; i += 1) {
+    const arg = argv[i]
+    if (arg === "--value") out.value = argv[++i]
+    else if (arg.startsWith("--value=")) out.value = arg.slice("--value=".length)
+    else if (arg === "--secrets-file") out.secretsFile = argv[++i]
+    else if (arg.startsWith("--secrets-file=")) out.secretsFile = arg.slice("--secrets-file=".length)
+    else rest.push(arg)
+  }
+  return { own: out, rest }
+}
+
+function makeApi(env) {
+  return async function api(pathname, { method = "GET", body } = {}) {
+    const res = await fetch(`${env.url}${pathname}`, {
+      method,
+      headers: {
+        Authorization: `Bearer ${env.token}`,
+        "Content-Type": "application/json",
+      },
+      body: body ? JSON.stringify(body) : undefined,
+    })
+    if (!res.ok) throw new Error(`${method} ${pathname} -> ${res.status}: ${await res.text()}`)
+    const ct = res.headers.get("content-type") || ""
+    return ct.includes("application/json") ? res.json() : res.text()
+  }
+}
+
+function loadFileValues(cwd, file) {
+  if (!file) return {}
+  const abs = path.resolve(cwd, file)
+  return parseDotEnv(fs.readFileSync(abs, "utf8"))
+}
+
+async function run(args, { cwd }) {
+  const [subcommand, ...tail] = args
+  const manifest = loadManifest(cwd)
+  const declared = declaredSecrets(manifest)
+
+  if (!subcommand || subcommand === "help" || subcommand === "--help") {
+    console.log("Usage: pltt secrets <init|list|set|rotate> [NAME] [--env staging]")
+    console.log("       pltt secrets set NAME --value <secret> --env staging")
+    console.log("       pltt secrets set NAME --secrets-file plugin-secrets.env --env staging")
+    return
+  }
+
+  if (subcommand === "init") {
+    const result = initLocalEnv(cwd, manifest)
+    console.log(`[pltt] wrote ${path.relative(cwd, result.localPath)}`)
+    console.log(`[pltt] wrote ${path.relative(cwd, result.examplePath)}`)
+    console.log("[pltt] updated .gitignore for local env files")
+    return
+  }
+
+  const { own, rest } = parseOwnFlags(tail)
+  const { flags } = parseFlags(rest)
+  let env
+  try {
+    env = resolveEnvironment({ cwd, flags })
+  } catch (err) {
+    console.error(`[pltt] ${err.message}`)
+    process.exit(1)
+  }
+  if (!env.token) {
+    console.error(`[pltt] no publish token for "${env.name}". Set $${env.token_env}.`)
+    process.exit(1)
+  }
+  const api = makeApi(env)
+
+  if (subcommand === "list") {
+    const response = await api(`/api/v1/appstore/plugins/${encodeURIComponent(manifest.id)}/secrets?env=${encodeURIComponent(env.name)}`)
+    for (const item of response.secrets || []) {
+      console.log(`${item.key}\tconfigured=${item.configured ? "yes" : "no"}\tupdated=${item.updated_at || "-"}`)
+    }
+    return
+  }
+
+  if (subcommand !== "set" && subcommand !== "rotate") {
+    console.error(`[pltt] unknown secrets command: ${subcommand}`)
+    process.exit(1)
+  }
+
+  const name = rest.find((item) => !item.startsWith("-"))
+  if (!name) {
+    console.error("[pltt] usage: pltt secrets set NAME --value <secret> [--env staging]")
+    process.exit(1)
+  }
+  const spec = declared[name]
+  if (spec && !spec.scope.includes("plugin")) {
+    console.error(`[pltt] ${name} is declared with scope ${spec.scope.join(",")}; only plugin-scope secrets are managed by this command.`)
+    process.exit(1)
+  }
+  const fileValues = loadFileValues(cwd, own.secretsFile)
+  const localValues = readDotEnvFile(path.join(cwd, ".palette", ".env.local"))
+  const value = own.value ?? fileValues[name] ?? process.env[name] ?? localValues[name]
+  if (!value) {
+    console.error(`[pltt] no value for ${name}. Pass --value, --secrets-file, or set $${name}.`)
+    process.exit(1)
+  }
+
+  await api(`/api/v1/appstore/plugins/${encodeURIComponent(manifest.id)}/secrets/${encodeURIComponent(name)}`, {
+    method: "PUT",
+    body: { value, environment: env.name },
+  })
+  console.log(`[pltt] ${subcommand === "rotate" ? "rotated" : "set"} ${name}=${redactValue(value)} for ${manifest.id} (${env.name})`)
+}
+
+module.exports = run

package/lib/commands/test.js

@@ -5,6 +5,7 @@ const path = require("path")
 const { spawnSync } = require("child_process")
 const { loadManifest, validateManifest, KNOWN_PERMISSIONS } = require("../manifest")
 const { bundleFrontend, bundleBackend } = require("../bundler")
+const { declaredSecrets, loadLocalEnv } = require("../secrets")
 const buildCommand = require("./build")
 
 const DEFAULT_FRONTEND_BUNDLE_LIMIT = 512 * 1024
@@ -252,7 +253,7 @@ function lintMigrations(cwd, manifest, out) {
   if (!fs.existsSync(path.join(migrationsAbs, "env.py"))) {
     return out.fail(`database.migrations directory is missing env.py: ${migrationsRel}`)
   }
-  const errors = buildCommand.lintMigrationsDir(migrationsAbs)
+  const errors = buildCommand.lintMigrationsDir(migrationsAbs, manifest.id)
   for (const err of errors) out.fail(err)
   if (errors.length === 0) out.ok("migration lint passed")
   return errors.length
@@ -601,6 +602,64 @@ function sandboxBridgeSmoke(cwd, manifest, out) {
   return 0
 }
 
+function checkDeclaredSecrets(cwd, manifest, out) {
+  const declared = declaredSecrets(manifest)
+  const names = Object.keys(declared)
+  if (names.length === 0) {
+    out.ok("no manifest secrets declared")
+    return 0
+  }
+  const localValues = loadLocalEnv(cwd, { apply: false })
+  let failures = 0
+  for (const [name, spec] of Object.entries(declared)) {
+    if (spec.scope.includes("dev") && spec.required && !localValues[name]) {
+      out.warn(
+        `required dev secret ${name} is missing from .palette/.env.local`,
+        "Run pltt secrets init and fill the local value before pltt dev.",
+        { secret: name, scope: spec.scope },
+      )
+    }
+    if (spec.scope.includes("plugin") && spec.required && !localValues[name] && !process.env[name]) {
+      out.warn(
+        `required plugin secret ${name} has no local value`,
+        "Set it before publish with an env var, --secrets-file, or pltt secrets set.",
+        { secret: name, scope: spec.scope },
+      )
+    }
+  }
+  if (!fs.existsSync(path.join(cwd, ".palette", ".env.local"))) {
+    out.warn(
+      ".palette/.env.local is missing",
+      "Run pltt secrets init to create local developer env files.",
+    )
+  } else {
+    out.ok(".palette/.env.local is present")
+  }
+  out.ok(`manifest declares ${names.length} secret(s)`, { secrets: names })
+  return failures
+}
+
+function checkFrontendSecretLeaks(cwd, frontendBuffer, manifest, out) {
+  const localValues = loadLocalEnv(cwd, { apply: false })
+  const declared = declaredSecrets(manifest)
+  let failures = 0
+  const bundleText = frontendBuffer.toString("utf8")
+  for (const [name, value] of Object.entries(localValues)) {
+    if (!value || String(value).length < 8) continue
+    const spec = declared[name]
+    const publicAllowed = name.startsWith("NEXT_PUBLIC_")
+    if (!publicAllowed && bundleText.includes(String(value))) {
+      failures += out.fail(
+        `frontend bundle contains local secret value for ${name}`,
+        "Move this value to backend ctx.secret(...) or rename it NEXT_PUBLIC_* only if it is intentionally public.",
+        { secret: name, declared_scope: spec?.scope },
+      )
+    }
+  }
+  if (failures === 0) out.ok("frontend local-secret leak scan passed")
+  return failures
+}
+
 async function run(args, { cwd }) {
   const json = args.includes("--json")
   let failures = 0
@@ -630,6 +689,7 @@ async function run(args, { cwd }) {
   failures += checkSdkCompatibility(cwd, manifest, out)
   failures += scanForbiddenImports(cwd, manifest, out)
   failures += checkSemverBump(cwd, manifest, out)
+  failures += checkDeclaredSecrets(cwd, manifest, out)
 
   for (const permission of manifest.permissions || []) {
     if (!KNOWN_PERMISSIONS.has(permission)) {
@@ -662,6 +722,7 @@ async function run(args, { cwd }) {
       const frontend = await bundleFrontend(cwd, manifest.frontend.entry, manifest.frontend)
       out.ok(`frontend bundles successfully (${frontend.length} bytes)`, { bytes: frontend.length })
       failures += checkBundleSize("frontend", frontend.length, out)
+      failures += checkFrontendSecretLeaks(cwd, frontend, manifest, out)
       failures += sandboxBridgeSmoke(cwd, manifest, out)
     } catch (err) {
       failures += out.fail(

package/lib/dev-simulator.js

@@ -7,6 +7,7 @@ const { spawn, spawnSync } = require("child_process")
 
 const { loadManifest } = require("./manifest")
 const { frontendBuildConfig } = require("./bundler")
+const { loadLocalEnv } = require("./secrets")
 
 function loadEsbuild() {
   try {
@@ -95,6 +96,7 @@ function writeBackendRunner(cwd, devDir, manifest, backendEntry) {
   const runner = path.join(devDir, "backend_runner.py")
   const sdkPath = localBackendSdkPath()
   const databasePath = path.join(devDir, `${manifest.id}.sqlite3`)
+  const devSecrets = loadLocalEnv(cwd, { apply: false })
   const content = `from __future__ import annotations
 
 import importlib
@@ -115,6 +117,7 @@ MANIFEST = json.loads(${JSON.stringify(JSON.stringify(manifest))})
 SDK_PATH = ${JSON.stringify(sdkPath || "")}
 DATABASE_ENABLED = bool(MANIFEST.get("database") or MANIFEST.get("capabilities", {}).get("database"))
 DATABASE_URL = os.environ.get("PALETTE_DEV_DATABASE_URL", "sqlite+aiosqlite:///${databasePath.replace(/\\/g, "/")}")
+DEV_SECRETS = json.loads(${JSON.stringify(JSON.stringify(devSecrets))})
 
 if SDK_PATH:
     sys.path.insert(0, SDK_PATH)
@@ -153,7 +156,11 @@ class DevPluginContextMiddleware(BaseHTTPMiddleware):
         request.state.org_role = "owner"
         request.state.plugin_id = MANIFEST.get("id", "")
         request.state.plugin_permissions = MANIFEST.get("permissions", [])
-        request.state.plugin_config = {}
+        request.state.plugin_config = {
+            "secrets": DEV_SECRETS,
+            "secret_specs": MANIFEST.get("secrets") or {},
+            "secret_scope": "dev",
+        }
         request.state.storage = None
         if SessionLocal is None:
             request.state.db = None

package/lib/environments.js

@@ -173,6 +173,7 @@ function parseFlags(argv) {
     url: undefined,
     token: undefined,
     default: true,
+    secretsFile: undefined,
   }
   const rest = []
   for (let i = 0; i < argv.length; i++) {
@@ -201,6 +202,10 @@ function parseFlags(argv) {
       flags.token = a.slice("--token=".length)
     } else if (a === "--no-default") {
       flags.default = false
+    } else if (a === "--secrets-file") {
+      flags.secretsFile = argv[++i]
+    } else if (a.startsWith("--secrets-file=")) {
+      flags.secretsFile = a.slice("--secrets-file=".length)
     } else {
       rest.push(a)
     }

package/lib/manifest.js

@@ -2,6 +2,7 @@
 
 const fs = require("fs")
 const path = require("path")
+const { SECRET_SCOPES } = require("./secrets")
 
 const MANIFEST_FILE = "palette-plugin.json"
 const SUPPORTED_MANIFEST_VERSIONS = ["1"]
@@ -46,6 +47,8 @@ const TOP_LEVEL_KEYS = new Set([
   "rate_limit",
   "database",
   "scheduled_jobs",
+  "secrets",
+  "platform_services",
 ])
 
 function loadManifest(cwd) {
@@ -69,6 +72,18 @@ function isObject(v) {
   return v !== null && typeof v === "object" && !Array.isArray(v)
 }
 
+function pluginSafeId(pluginId) {
+  return String(pluginId || "").toLowerCase().replace(/[^a-z0-9_]/g, "_")
+}
+
+function expectedPluginSchema(pluginId) {
+  return `app_${pluginSafeId(pluginId)}`
+}
+
+function expectedTablePrefix(pluginId) {
+  return `${pluginSafeId(pluginId)}__`
+}
+
 function unknownKeys(obj, allowed, label, errors) {
   if (!isObject(obj)) return
   for (const key of Object.keys(obj)) {
@@ -92,6 +107,71 @@ function validateArray(value, label, errors) {
   if (value !== undefined && !Array.isArray(value)) errors.push(`${label} must be an array`)
 }
 
+function validateSecrets(value, errors) {
+  if (value === undefined) return
+  if (!isObject(value)) {
+    errors.push("secrets must be an object")
+    return
+  }
+  const allowed = new Set(["scope", "required", "label", "help", "validate"])
+  for (const [name, spec] of Object.entries(value)) {
+    const label = `secrets.${name}`
+    if (!/^[A-Z_][A-Z0-9_]*$/.test(name)) {
+      errors.push(`${label} must be an uppercase environment-style name`)
+    }
+    if (!isObject(spec)) {
+      errors.push(`${label} must be an object`)
+      continue
+    }
+    unknownKeys(spec, allowed, label, errors)
+    const scopes = Array.isArray(spec.scope) ? spec.scope : [spec.scope || "dev"]
+    for (const scope of scopes) {
+      if (!SECRET_SCOPES.has(scope)) {
+        errors.push(`${label}.scope must be one of ${Array.from(SECRET_SCOPES).join(", ")}`)
+      }
+    }
+    requireBoolean(spec, "required", label, errors)
+    requireString(spec, "label", label, errors)
+    requireString(spec, "help", label, errors)
+    requireString(spec, "validate", label, errors)
+    if (spec.validate !== undefined) {
+      try {
+        new RegExp(spec.validate)
+      } catch (err) {
+        errors.push(`${label}.validate must be a valid regular expression`)
+      }
+    }
+  }
+}
+
+function validatePlatformServices(value, errors) {
+  if (value === undefined) return
+  const known = new Set(["llm", "kv", "storage"])
+  if (Array.isArray(value)) {
+    for (const service of value) {
+      if (!known.has(service)) errors.push(`platform_services contains unknown service: ${service}`)
+    }
+    return
+  }
+  if (!isObject(value)) {
+    errors.push("platform_services must be an array or object")
+    return
+  }
+  for (const [name, spec] of Object.entries(value)) {
+    if (!known.has(name)) errors.push(`platform_services.${name} is not supported`)
+    if (!isObject(spec)) {
+      errors.push(`platform_services.${name} must be an object`)
+      continue
+    }
+    unknownKeys(spec, new Set(["required", "billing"]), `platform_services.${name}`, errors)
+    requireBoolean(spec, "required", `platform_services.${name}`, errors)
+    requireString(spec, "billing", `platform_services.${name}`, errors)
+    if (spec.billing !== undefined && !["org_wallet", "plugin_owner", "platform"].includes(spec.billing)) {
+      errors.push(`platform_services.${name}.billing must be org_wallet, plugin_owner, or platform`)
+    }
+  }
+}
+
 function validateManifest(m) {
   const errors = []
   if (!isObject(m)) return ["manifest must be an object"]
@@ -157,6 +237,9 @@ function validateManifest(m) {
     errors.push("at least one of frontend, backend, or tools is required")
   }
 
+  validateSecrets(m.secrets, errors)
+  validatePlatformServices(m.platform_services, errors)
+
   if (m.sdk) {
     if (!isObject(m.sdk)) errors.push("sdk must be an object")
     else {
@@ -249,11 +332,21 @@ function validateManifest(m) {
       }
       if (m.database.schema !== undefined && !/^app_[a-z0-9_]+$/.test(m.database.schema)) {
         errors.push("database.schema must match /^app_[a-z0-9_]+$/")
+      } else if (m.database.schema !== undefined && m.id && m.database.schema !== expectedPluginSchema(m.id)) {
+        errors.push(`database.schema must be ${expectedPluginSchema(m.id)} for plugin ${m.id}`)
       }
     }
   }
 
   validateArray(m.shared_tables, "shared_tables", errors)
+  if (Array.isArray(m.shared_tables) && m.id) {
+    const prefix = expectedTablePrefix(m.id)
+    for (const table of m.shared_tables) {
+      if (typeof table === "string" && !table.startsWith(prefix)) {
+        errors.push(`shared_tables entries must use the app table prefix "${prefix}": ${table}`)
+      }
+    }
+  }
   validateArray(m.permissions, "permissions", errors)
   if (Array.isArray(m.permissions)) {
     const seen = new Set()

package/lib/secrets.js

@@ -0,0 +1,155 @@
+"use strict"
+
+const fs = require("fs")
+const path = require("path")
+
+const LOCAL_ENV_PATH = path.join(".palette", ".env.local")
+const EXAMPLE_ENV_PATH = path.join(".palette", ".env.example")
+const SECRET_SCOPES = new Set(["dev", "plugin", "install", "platform"])
+
+function parseDotEnv(src) {
+  const values = {}
+  for (const rawLine of String(src || "").split(/\r?\n/)) {
+    const line = rawLine.trim()
+    if (!line || line.startsWith("#")) continue
+    const match = line.match(/^(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/)
+    if (!match) continue
+    let value = match[2] || ""
+    if (
+      (value.startsWith('"') && value.endsWith('"')) ||
+      (value.startsWith("'") && value.endsWith("'"))
+    ) {
+      value = value.slice(1, -1)
+    }
+    values[match[1]] = value
+  }
+  return values
+}
+
+function readDotEnvFile(filePath) {
+  if (!fs.existsSync(filePath)) return {}
+  return parseDotEnv(fs.readFileSync(filePath, "utf8"))
+}
+
+function writeDotEnvFile(filePath, values, manifest) {
+  const lines = [
+    "# Palette local developer secrets.",
+    "# This file is for pltt dev only and must not be committed.",
+    "",
+  ]
+  for (const [name, meta] of Object.entries(values)) {
+    const scope = Array.isArray(meta.scope) ? meta.scope.join(",") : meta.scope
+    lines.push(`# ${name}`)
+    lines.push(`# scope: ${scope || "dev"}`)
+    if (meta.label) lines.push(`# label: ${meta.label}`)
+    if (meta.help) lines.push(`# help: ${meta.help}`)
+    lines.push(`${name}=`)
+    lines.push("")
+  }
+  if (Object.keys(values).length === 0 && manifest?.id) {
+    lines.push(`# No secrets are declared by ${manifest.id}.`)
+    lines.push("")
+  }
+  fs.writeFileSync(filePath, lines.join("\n"))
+}
+
+function ensurePaletteDir(cwd) {
+  const dir = path.join(cwd, ".palette")
+  fs.mkdirSync(dir, { recursive: true })
+  return dir
+}
+
+function ensureGitignore(cwd) {
+  const gitignorePath = path.join(cwd, ".gitignore")
+  const required = [
+    ".palette/.env.local",
+    ".palette/*.env",
+    ".env",
+    ".env.local",
+    ".env.production",
+  ]
+  let existing = ""
+  if (fs.existsSync(gitignorePath)) existing = fs.readFileSync(gitignorePath, "utf8")
+  const lines = existing ? existing.split(/\r?\n/) : []
+  let changed = false
+  for (const entry of required) {
+    if (!lines.includes(entry)) {
+      lines.push(entry)
+      changed = true
+    }
+  }
+  if (changed || !fs.existsSync(gitignorePath)) {
+    fs.writeFileSync(gitignorePath, lines.filter((line, index) => line || index < lines.length - 1).join("\n") + "\n")
+  }
+}
+
+function normalizeScope(scope) {
+  if (Array.isArray(scope)) return scope
+  if (typeof scope === "string") return [scope]
+  return ["dev"]
+}
+
+function declaredSecrets(manifest) {
+  const raw = manifest?.secrets || {}
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return {}
+  const out = {}
+  for (const [name, meta] of Object.entries(raw)) {
+    if (!/^[A-Z_][A-Z0-9_]*$/.test(name)) continue
+    const item = meta && typeof meta === "object" && !Array.isArray(meta) ? meta : {}
+    out[name] = {
+      ...item,
+      scope: normalizeScope(item.scope).filter((scope) => SECRET_SCOPES.has(scope)),
+      required: Boolean(item.required),
+    }
+    if (out[name].scope.length === 0) out[name].scope = ["dev"]
+  }
+  return out
+}
+
+function secretsForScope(manifest, scope) {
+  return Object.fromEntries(
+    Object.entries(declaredSecrets(manifest)).filter(([, meta]) => meta.scope.includes(scope)),
+  )
+}
+
+function initLocalEnv(cwd, manifest, { overwrite = false } = {}) {
+  ensurePaletteDir(cwd)
+  ensureGitignore(cwd)
+  const declared = declaredSecrets(manifest)
+  const localPath = path.join(cwd, LOCAL_ENV_PATH)
+  const examplePath = path.join(cwd, EXAMPLE_ENV_PATH)
+  if (overwrite || !fs.existsSync(localPath)) writeDotEnvFile(localPath, declared, manifest)
+  writeDotEnvFile(examplePath, declared, manifest)
+  return { localPath, examplePath, declared }
+}
+
+function loadLocalEnv(cwd, { apply = true } = {}) {
+  const values = readDotEnvFile(path.join(cwd, LOCAL_ENV_PATH))
+  if (apply) {
+    for (const [key, value] of Object.entries(values)) {
+      if (process.env[key] === undefined) process.env[key] = value
+    }
+  }
+  return values
+}
+
+function redactValue(value) {
+  if (!value) return ""
+  const str = String(value)
+  if (str.length <= 8) return "********"
+  return `${str.slice(0, 3)}…${str.slice(-3)}`
+}
+
+module.exports = {
+  EXAMPLE_ENV_PATH,
+  LOCAL_ENV_PATH,
+  SECRET_SCOPES,
+  declaredSecrets,
+  ensureGitignore,
+  initLocalEnv,
+  loadLocalEnv,
+  parseDotEnv,
+  readDotEnvFile,
+  redactValue,
+  secretsForScope,
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@palettelab/cli",
-  "version": "0.3.29",
+  "version": "0.3.31",
   "description": "Developer CLI for building Palette platform plugins — no platform source access required.",
   "bin": {
     "pltt": "bin/pltt.js"

package/template-fallback/templates/database/backend/api/models.py

@@ -5,7 +5,7 @@ from palette_sdk.db import OrgScopedTable
 
 
 class Note(OrgScopedTable):
-    __tablename__ = "notes"
+    __tablename__ = "my_db_plugin__notes"
 
     id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
     body: Mapped[str] = mapped_column(Text, nullable=False)

package/template-fallback/templates/database/backend/migrations/versions/001_init.py

@@ -11,15 +11,15 @@ down_revision = None
 
 def upgrade() -> None:
     op.create_table(
-        "notes",
+        "my_db_plugin__notes",
         sa.Column("id", sa.Integer(), primary_key=True, autoincrement=True),
         sa.Column("organization_id", sa.BigInteger(), nullable=False),
         sa.Column("body", sa.Text(), nullable=False),
     )
-    op.create_index("ix_notes_org", "notes", ["organization_id"])
-    ensure_org_rls(op, "notes")
+    op.create_index("ix_my_db_plugin__notes_org", "my_db_plugin__notes", ["organization_id"])
+    ensure_org_rls(op, "my_db_plugin__notes")
 
 
 def downgrade() -> None:
-    op.drop_index("ix_notes_org", table_name="notes")
-    op.drop_table("notes")
+    op.drop_index("ix_my_db_plugin__notes_org", table_name="my_db_plugin__notes")
+    op.drop_table("my_db_plugin__notes")