Operations
Security & privacy
Protect platform-issued credentials, enforce policy checks, and maintain auditable run history without slowing down engineering velocity.
Security fundamentals
- Treat developer keys and provider credentials as secrets at all times.
- Rotate keys periodically and immediately after suspected exposure.
- Prefer PR publish mode for branch protection and review visibility.
- Preserve immutable audit history for approvals, rejects, and publishes.
Developer key lifecycle
Keys should be created and managed in the ReactorAI dashboard, then used only in secure local or CI environments.
Platform key lifecycle + CLI auth
# Key lifecycle in https://reactorai.codes dashboard
# 1) Create Developer Key
# 2) Copy once and store in a password manager
# 3) Use key for CLI authentication
# 4) Rotate or revoke compromised keys immediately
export REFACTOR_PLATFORM_URL=https://reactorai.codes
refactor login --key <active_developer_key>
refactor whoamiCLI secret hygiene
Run strict checks before merge to prevent accidental secret commits and ensure configuration references remain environment-driven.
CLI guardrails for secret safety
# Never commit raw provider or developer keys
refactor check --strict
# Prefer environment interpolation in refactor.consti
export REFACTOR_PLATFORM_URL=https://reactorai.codes
export REFACTOR_API_KEY=<rfk_live_key>
refactor config
refactor doctorEnvironment management baseline
Store secrets in vault-backed environment injection for shared development and CI environments.
Secure environment baseline
# Example: secure environment baseline
REFACTOR_PLATFORM_URL=https://reactorai.codes
REFACTOR_API_KEY=<developer-key-from-platform>
# Keep secrets in secure env injection (local vault or CI secrets)
# Do not commit keys into the repository