Secrets

Prerequisites

Declare and read

import { secret } from "@org/fluffy-chainsaw";

const key = await secret.get("stripe-key");   // async — returns the value as a string

Grant it to a runner

secrets:
  stripe-key: {}

runners:
  orders-api:
    uses:
      secrets: [stripe-key]   # grants read access + injects the descriptor

A secret declared in code that no runner lists under uses.secrets fails validation (E_USES_SECRET_UNKNOWN) — either grant it or opt out explicitly with defaults: { secrets: { unused: true } }.

Where the value comes from

fluffy-chainsaw provisions the secret container and the runner's access — never the value. Set the value out-of-band:

printf '%s' "sk_live_..." | gcloud secrets versions add stripe-key --data-file=-

Locally, fluffy-chainsaw local wires an env-backed descriptor, so the value comes from your local environment instead of Secret Manager.

Field reference

Gotchas