secret-shuttle plugin for Cursor
# Codex Instructions For Secret Shuttle When handling secrets, route the secret moment through Secret Shuttle. Setup before the first secret operation: ```bash npx secret-shuttle init ``` Do: - n
# Codex Instructions For Secret Shuttle
When handling secrets, route the secret moment through Secret Shuttle.
Setup before the first secret operation:
```bash
npx secret-shuttle init
```
Do:
- navigate with the browser normally until a secret becomes visible or a secret value field is focused
- stop observing before the secret is visible to the model
- run Secret Shuttle commands from the terminal
- report only refs, fingerprints, and status
- approve production actions in the Secret Shuttle window your browser opens
Do not:
- ask the user to paste secret values
- read DOM or accessibility text while blind mode is active
- take screenshots while blind mode is active
- inspect console, network bodies, or clipboard while blind mode is active
- print raw values from `.env`, CLI output, or browser fields
Use:
```bash
# Provision a new local secret straight into a destination (one approval):
secret-shuttle provision --secret INTERNAL_CRON_SECRET \
--from random_32_bytes \
--environment production \
--to vercel:production
# Capture a secret revealed on a page — mark the controls, then reveal-capture
# (blind mode is daemon-managed inside the transaction; you never see the value):
secret-shuttle browser mark pick --as reveal-btn
secret-shuttle browser mark focused --as revealed-field
secret-shuttle reveal-capture --name STRIPE_WEBHOOK_SECRET --env production \
--source stripe --reveal-handle reveal-btn --field-handle revealed-field \
--allow-domain dashboard.stripe.com
# Write a secret into a focused field and submit, verifying a success marker:
secret-shuttle browser mark focused --as value-field
secret-shuttle browser mark pick --as save-button
secret-shuttle inject-submit --ref ss://stripe/prod/STRIPE_WEBHOOK_SECRET \
--field-handle value-field --submit-handle save-button --success-text "Saved"
```
To hand a secret to an external binary, use a template:
```bash
secret-shuttle template run vercel-env-add \
--ref ss://stripe/prod/STRIPE_WEBHOOK_SECRET \
--param name=STRIPE_WEBHOOK_SECRET \
--param environment=production
```
Production actions require the human to approve in the Secret Shuttle window their browser opens. There is no CLI flag that bypasses approval.# Cursor Rules For Secret Shuttle When working with production credentials, webhook signing secrets, API keys, or env var values: - never put raw values in chat, files, logs, or screenshots - use Se
# Cursor Rules For Secret Shuttle
When working with production credentials, webhook signing secrets, API keys, or env var values:
- never put raw values in chat, files, logs, or screenshots
- use Secret Shuttle refs instead of raw values
- run `npx secret-shuttle init` once per project before the first secret operation
- prefer `secret-shuttle provision` (the magic path) — one approval to provision a project's secrets or a single `--secret`, with capture/inject driven for you
- use `secret-shuttle provision --secret <NAME> --from random_32_bytes` for new secrets
- to capture a secret revealed on a page, `secret-shuttle browser mark` the controls then `secret-shuttle reveal-capture` (blind mode is daemon-managed inside it)
- to write a secret into a focused field, `secret-shuttle browser mark` the field + submit control then `secret-shuttle inject-submit`
- verify with non-secret signals only — `secret-shuttle audit` and ref fingerprints via `secret-shuttle secrets get-ref`, never by revealing the value
- do not inspect DOM, accessibility tree, console, network bodies, or clipboard while blind mode is active
- approve production actions in the Secret Shuttle window your browser opens — there is no CLI flag that bypasses approval
- use `secret-shuttle template run vercel-env-add ...` to hand a secret to an external binary
Safe values to mention:
- refs such as `ss://stripe/prod/STRIPE_WEBHOOK_SECRET`
- fingerprints
- destination domains
- field names
- non-secret status
Unsafe values to mention:
- `whsec_...`
- `sk_live_...`
- service-role keys
- private tokens
- generated secret bodies