secret-shuttle

0

secret-shuttle plugin for Cursor

2 agents

codex-instructions.example

# Codex Instructions For Secret Shuttle When handling secrets, route the secret moment through Secret Shuttle. Setup before the first secret operation: ```bash npx secret-shuttle init ``` Do: - n

# Codex Instructions For Secret Shuttle When handling secrets, route the secret moment through Secret Shuttle. Setup before the first secret operation: ```bash npx secret-shuttle init ``` Do: - navigate with the browser normally until a secret becomes visible or a secret value field is focused - stop observing before the secret is visible to the model - run Secret Shuttle commands from the terminal - report only refs, fingerprints, and status - approve production actions in the Secret Shuttle window your browser opens Do not: - ask the user to paste secret values - read DOM or accessibility text while blind mode is active - take screenshots while blind mode is active - inspect console, network bodies, or clipboard while blind mode is active - print raw values from `.env`, CLI output, or browser fields Use: ```bash # Provision a new local secret straight into a destination (one approval): secret-shuttle provision --secret INTERNAL_CRON_SECRET \ --from random_32_bytes \ --environment production \ --to vercel:production # Capture a secret revealed on a page — mark the controls, then reveal-capture # (blind mode is daemon-managed inside the transaction; you never see the value): secret-shuttle browser mark pick --as reveal-btn secret-shuttle browser mark focused --as revealed-field secret-shuttle reveal-capture --name STRIPE_WEBHOOK_SECRET --env production \ --source stripe --reveal-handle reveal-btn --field-handle revealed-field \ --allow-domain dashboard.stripe.com # Write a secret into a focused field and submit, verifying a success marker: secret-shuttle browser mark focused --as value-field secret-shuttle browser mark pick --as save-button secret-shuttle inject-submit --ref ss://stripe/prod/STRIPE_WEBHOOK_SECRET \ --field-handle value-field --submit-handle save-button --success-text "Saved" ``` To hand a secret to an external binary, use a template: ```bash secret-shuttle template run vercel-env-add \ --ref ss://stripe/prod/STRIPE_WEBHOOK_SECRET \ --param name=STRIPE_WEBHOOK_SECRET \ --param environment=production ``` Production actions require the human to approve in the Secret Shuttle window their browser opens. There is no CLI flag that bypasses approval.

cursor-rules.example

# Cursor Rules For Secret Shuttle When working with production credentials, webhook signing secrets, API keys, or env var values: - never put raw values in chat, files, logs, or screenshots - use Se

# Cursor Rules For Secret Shuttle When working with production credentials, webhook signing secrets, API keys, or env var values: - never put raw values in chat, files, logs, or screenshots - use Secret Shuttle refs instead of raw values - run `npx secret-shuttle init` once per project before the first secret operation - prefer `secret-shuttle provision` (the magic path) — one approval to provision a project's secrets or a single `--secret`, with capture/inject driven for you - use `secret-shuttle provision --secret <NAME> --from random_32_bytes` for new secrets - to capture a secret revealed on a page, `secret-shuttle browser mark` the controls then `secret-shuttle reveal-capture` (blind mode is daemon-managed inside it) - to write a secret into a focused field, `secret-shuttle browser mark` the field + submit control then `secret-shuttle inject-submit` - verify with non-secret signals only — `secret-shuttle audit` and ref fingerprints via `secret-shuttle secrets get-ref`, never by revealing the value - do not inspect DOM, accessibility tree, console, network bodies, or clipboard while blind mode is active - approve production actions in the Secret Shuttle window your browser opens — there is no CLI flag that bypasses approval - use `secret-shuttle template run vercel-env-add ...` to hand a secret to an external binary Safe values to mention: - refs such as `ss://stripe/prod/STRIPE_WEBHOOK_SECRET` - fingerprints - destination domains - field names - non-secret status Unsafe values to mention: - `whsec_...` - `sk_live_...` - service-role keys - private tokens - generated secret bodies