Skip to content

docs: secure secret handling for server API key — keys.env pattern#26

Merged
colombod merged 4 commits into
mainfrom
feat/config-docs-update-for-secrets
May 28, 2026
Merged

docs: secure secret handling for server API key — keys.env pattern#26
colombod merged 4 commits into
mainfrom
feat/config-docs-update-for-secrets

Conversation

@colombod
Copy link
Copy Markdown
Collaborator

@colombod colombod commented May 28, 2026

What

Fixes a documentation error where the README and agent context file showed
context_intelligence_api_key as a literal value in settings.yaml — the
same insecure pattern that LLM providers explicitly avoid.

Changes

README.md

  • Enable server forwarding (Quick Start) — simplified to a single clear
    instruction: add AMPLIFIER_CONTEXT_INTELLIGENCE_SERVER_URL and
    AMPLIFIER_CONTEXT_INTELLIGENCE_API_KEY to ~/.amplifier/keys.env. The
    behavior YAML already resolves these placeholders automatically; no
    settings.yaml entry is required.
  • New section: "Configuring via the Amplifier app-cli" — explains the
    settings.yaml override mechanism for users who load the bundle through
    the app-cli and need to pass configuration overrides. Shows both the
    default-name case and the custom key name case (e.g.
    CONTEXT_INTELLIGENCE_TEAM_SERVER_API_KEY) with ${...} interpolation.
    Secrets never appear as literals; settings.yaml stays committable.

context/context-intelligence-awareness.md

  • Stripped "Finding connection parameters" back to its job: tell the agent
    which env vars drive the upload tool and that they come from keys.env.
    Removed all settings.yaml and app-cli references — this file is loaded
    into agent context and has no business knowing about configuration
    plumbing.

Validation

All documented patterns were validated in an isolated DTU (Ubuntu 24.04)
running the real ConfigResolver from the module:

  • AMPLIFIER_CONTEXT_INTELLIGENCE_API_KEY in env → resolved at priority 3
  • Custom key name + ${...} override → arrives as config dict at priority 1
  • Literal in settings.yaml → lowest priority, silently shadowed by env var
  • 7/7 tests passed

Diego Colombo added 4 commits May 28, 2026 13:02
docs: document keys.env as secure secret store for server API key
bf0c059 
- Rewrote 'Enable server forwarding' section in README.md with two secure patterns:
  * Option A: Use AMPLIFIER_CONTEXT_INTELLIGENCE_API_KEY in keys.env (default behavior)
  * Option B: Custom key name in keys.env + interpolated in settings.yaml with ${CUSTOM_VAR}
- Added explicit callout: settings.yaml with ${...} references is safe to commit; literal secrets are not
- Updated 'Finding connection parameters' section in context-intelligence-awareness.md:
  * Removed fallback to bundle config YAML
  * Documented correct pattern: secrets live in keys.env only
  * Explained both default and custom key name patterns
docs: move settings.yaml override guidance to app-cli section; simpli…
28e40f3 
…fy context file
docs: remove app-cli reference from agent context file
05442d1
docs: make secret guidance deployment-agnostic in context file
d02536a
@colombod colombod merged commit d12082c into main May 28, 2026
9 checks passed
@colombod colombod deleted the feat/config-docs-update-for-secrets branch May 28, 2026 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@colombod