mirror of
https://github.com/katanemo/plano.git
synced 2026-04-25 08:46:24 +02:00
743d074184
Some checks are pending
CI / pre-commit (push) Waiting to run
CI / plano-tools-tests (push) Waiting to run
CI / native-smoke-test (push) Waiting to run
CI / docker-build (push) Waiting to run
CI / validate-config (push) Waiting to run
CI / security-scan (push) Blocked by required conditions
CI / test-prompt-gateway (push) Blocked by required conditions
CI / test-model-alias-routing (push) Blocked by required conditions
CI / test-responses-api-with-state (push) Blocked by required conditions
CI / e2e-plano-tests (3.10) (push) Blocked by required conditions
CI / e2e-plano-tests (3.11) (push) Blocked by required conditions
CI / e2e-plano-tests (3.12) (push) Blocked by required conditions
CI / e2e-plano-tests (3.13) (push) Blocked by required conditions
CI / e2e-plano-tests (3.14) (push) Blocked by required conditions
CI / e2e-demo-preference (push) Blocked by required conditions
CI / e2e-demo-currency (push) Blocked by required conditions
Publish docker image (latest) / build-arm64 (push) Waiting to run
Publish docker image (latest) / build-amd64 (push) Waiting to run
Publish docker image (latest) / create-manifest (push) Blocked by required conditions
Build and Deploy Documentation / build (push) Waiting to run
* feat: add initial documentation for Plano Agent Skills * feat: readme with examples * feat: add detailed skills documentation and examples for Plano --------- Co-authored-by: Adil Hafeez <adil.hafeez@gmail.com>
72 lines
2.1 KiB
Markdown
72 lines
2.1 KiB
Markdown
---
|
|
title: Use Environment Variable Substitution for All Secrets
|
|
impact: CRITICAL
|
|
impactDescription: Hardcoded API keys in config.yaml will be committed to version control and exposed in Docker container inspect output
|
|
tags: config, security, secrets, api-keys, environment-variables
|
|
---
|
|
|
|
## Use Environment Variable Substitution for All Secrets
|
|
|
|
Plano supports `$VAR_NAME` substitution in config values. This applies to `access_key` fields, `connection_string` for state storage, and `http_headers` in prompt targets and endpoints. Never hardcode credentials — Plano reads them from environment variables or a `.env` file at startup via `planoai up`.
|
|
|
|
**Incorrect (hardcoded secrets):**
|
|
|
|
```yaml
|
|
version: v0.3.0
|
|
|
|
model_providers:
|
|
- model: openai/gpt-4o
|
|
access_key: abcdefghijklmnopqrstuvwxyz... # Hardcoded — never do this
|
|
|
|
state_storage:
|
|
type: postgres
|
|
connection_string: "postgresql://admin:mysecretpassword@prod-db:5432/plano"
|
|
|
|
prompt_targets:
|
|
- name: get_data
|
|
endpoint:
|
|
name: my_api
|
|
http_headers:
|
|
Authorization: "Bearer abcdefghijklmnopqrstuvwxyz" # Hardcoded token
|
|
```
|
|
|
|
**Correct (environment variable substitution):**
|
|
|
|
```yaml
|
|
version: v0.3.0
|
|
|
|
model_providers:
|
|
- model: openai/gpt-4o
|
|
access_key: $OPENAI_API_KEY
|
|
default: true
|
|
|
|
- model: anthropic/claude-sonnet-4-20250514
|
|
access_key: $ANTHROPIC_API_KEY
|
|
|
|
state_storage:
|
|
type: postgres
|
|
connection_string: "postgresql://${DB_USER}:${DB_PASS}@${DB_HOST}:5432/${DB_NAME}"
|
|
|
|
prompt_targets:
|
|
- name: get_data
|
|
endpoint:
|
|
name: my_api
|
|
http_headers:
|
|
Authorization: "Bearer $MY_API_TOKEN"
|
|
```
|
|
|
|
**`.env` file pattern (loaded automatically by `planoai up`):**
|
|
|
|
```bash
|
|
# .env — add to .gitignore
|
|
OPENAI_API_KEY=sk-proj-...
|
|
ANTHROPIC_API_KEY=sk-ant-...
|
|
DB_USER=plano
|
|
DB_PASS=secure-password
|
|
DB_HOST=localhost
|
|
MY_API_TOKEN=tok_live_...
|
|
```
|
|
|
|
Plano also accepts keys set directly in the shell environment. Variables referenced in config but not found at startup cause `planoai up` to fail with a clear error listing the missing keys.
|
|
|
|
Reference: https://github.com/katanemo/archgw
|