lsh-framework 1.7.2 → 1.7.4

package/README.md

@@ -512,6 +512,11 @@ lsh -s script.sh
 
 ## Security
 
+> **⚠️ CRITICAL: Read [SECURITY.md](SECURITY.md) for complete security guidelines**
+>
+> The security of your secrets depends entirely on how you store your `LSH_SECRETS_KEY`.
+> **Never store it in your project's `.env` file** - use your shell profile instead.
+
 ### Encryption
 
 - **Algorithm**: AES-256-CBC
@@ -522,16 +527,18 @@ lsh -s script.sh
 ### Best Practices
 
 **✅ DO:**
-- Generate unique keys per project
-- Share keys via 1Password/LastPass
-- Use different keys for personal vs team projects
+- Store `LSH_SECRETS_KEY` in your shell profile (`~/.zshrc`, `~/.bashrc`)
+- Generate unique keys per project/team
+- Share keys securely via 1Password/LastPass/Bitwarden
+- Use different keys for dev/staging/production environments
 - Rotate keys periodically
-- Keep backups of your .env files
+- Keep encrypted backups of your encryption key
 
 **❌ DON'T:**
+- Store `LSH_SECRETS_KEY` in your project's `.env` file
 - Commit `LSH_SECRETS_KEY` to git
 - Share keys in plain text (Slack, email, etc.)
-- Reuse keys across projects
+- Reuse keys across different teams/projects
 - Store production secrets in dev environment
 
 ### Command Validation

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "1.7.2",
+  "version": "1.7.4",
   "description": "Simple, cross-platform encrypted secrets manager with automatic sync, IPFS audit logs, and multi-environment support. Just run lsh sync and start managing your secrets.",
   "main": "dist/app.js",
   "bin": {