No secrets in agent prompts

secret-handling:no-secrets-in-prompts

SecretHandlingPolicysecurity/secret-handling/secret-handling-policies.yaml·Open in Graph →

{
  "id": "secret-handling:no-secrets-in-prompts",
  "_kind": "SecretHandlingPolicy",
  "_file": "security/secret-handling/secret-handling-policies.yaml",
  "_cluster": "security",
  "attributes": {
    "displayName": "No secrets in agent prompts",
    "rule": "Tracker credentials, vendor API keys, and SSH keys MUST NOT appear in prompt template body or front-matter.",
    "scope": "workflow-config",
    "enforcement": "workflow-linter",
    "rationale": "Prompt body is logged in run journals; secrets must come from environment only."
  },
  "outgoingEdges": [],
  "incomingEdges": [
    {
      "from": "workflow:linear-default",
      "to": "secret-handling:no-secrets-in-prompts",
      "kind": "applies_secret_policy",
      "attributes": {}
    }
  ]
}