Secrets Management System - Complete Guide¶

Architecture¶

03_07_01_secrets_management/
├── .env.template                  # Template (12 AI providers)
├── .env                           # Real secrets (never commit)
├── local_secrets_setup.ps1        # Interactive setup
├── scripts/
│   ├── load-ai-secrets.ps1               # Load secrets
│   ├── store-ai-secrets-1password.ps1    # Store in vault
│   └── verify-secrets-setup.ps1          # Health check
├── 1password/
│   └── AI_KEYS_SETUP.md
├── policies/
│   ├── ROTATION_POLICY.md
│   └── ACCESS_CONTROL.md
└── README_AI_SECRETS.md

Quick Start¶

First Time Setup¶

# 1. Create .env
.\local_secrets_setup.ps1

# 2. OR store in 1Password
.\scripts\store-ai-secrets-1password.ps1

# 3. Verify system
.\scripts\verify-secrets-setup.ps1

Daily Development¶

# Load secrets
.\scripts\load-ai-secrets.ps1

# Develop
# Keys available in environment

Workflows¶

Workflow 1: Local Development (.env)¶

Best for: Solo developers, quick prototyping

# Setup once
cp .env.template .env
notepad .env  # Add real keys

# Daily
.\scripts\load-ai-secrets.ps1 -UseLocalEnv

Pros: Simple, no dependencies Cons: Less secure, manual rotation

Workflow 2: 1Password (Team/Production)¶

Best for: Teams, production, security compliance

# Setup once
winget install AgileBits.1PasswordCLI
op signin
.\scripts\store-ai-secrets-1password.ps1

# Daily
.\scripts\load-ai-secrets.ps1

Pros: Secure, centralized, auditable Cons: Requires 1Password subscription

Workflow 3: Hybrid¶

Best for: Most projects

# Development: Use .env
.\scripts\load-ai-secrets.ps1 -UseLocalEnv

# Production: Use 1Password
.\scripts\load-ai-secrets.ps1

Supported Providers¶

Provider	Key Format	Cost
OpenAI	`sk-proj-...`	Pay-per-use
Anthropic	`sk-ant-...`	Pay-per-use
Gemini	`AIza...`	Free tier
Groq	`gsk_...`	Free tier
OpenRouter	`sk-or-...`	Per-model
Together AI	`...`	Competitive
Cohere	`...`	Pay-per-use
Mistral	`...`	Pay-per-use
Replicate	`r8_...`	Pay-per-use
Hugging Face	`hf_...`	Free tier
Perplexity	`pplx-...`	Pay-per-use
xAI	`xai-...`	Pay-per-use

Security¶

Rules¶

✅ NEVER commit .env
✅ Rotate every 90 days
✅ Revoke immediately if exposed
✅ Use minimal scopes

Validation¶

Scripts validate key formats:

OpenAI: sk-proj-* or sk-*
Anthropic: sk-ant-*
Gemini: AIza*
Groq: gsk_*
Replicate: r8_*
Hugging Face: hf_*
Perplexity: pplx-*
xAI: xai-*

Rotation¶

# Generate new key at provider
# Update in 1Password
op item edit "OpenAI API Key" --vault AudioLab-Development password="NEW_KEY"

# Or update .env
notepad .env

Troubleshooting¶

Keys not loading¶

# Verify system health
.\scripts\verify-secrets-setup.ps1

# Check which method
.\scripts\load-ai-secrets.ps1 -Verbose

1Password not working¶

# Check installation
op --version

# Re-authenticate
op signin

# Force .env fallback
.\scripts\load-ai-secrets.ps1 -UseLocalEnv

Wrong key format¶

Each provider has specific format. Check error message and regenerate key at provider portal.

Integration¶

C++¶

#include <cstdlib>

const char* key = std::getenv("OPENAI_API_KEY");
if (!key) throw std::runtime_error("Key not loaded");

JavaScript¶

const key = process.env.OPENAI_API_KEY;
if (!key) throw new Error("Key not loaded");

Python¶

import os

key = os.getenv("OPENAI_API_KEY")
if not key: raise ValueError("Key not loaded")

CI/CD¶

# GitHub Actions
jobs:
  build:
    steps:
      - name: Load secrets
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: cmake -B build

Support¶

Issues: Run .\scripts\verify-secrets-setup.ps1
Questions: Check README_AI_SECRETS.md
Emergency: See policies/ROTATION_POLICY.md