iFlowKit

Appearance

Security

The CLI handles sensitive configuration such as CPI service keys and Git provider tokens. Treat local CLI data as sensitive operational material.

CPI service keys

Tenant files are stored under the resolved profile in the local config directory:

text
{user-config-dir}/iflowkit/profiles/{profileId}/tenants/{env}.json

Recommendations:

  • Do not commit service key JSON files.
  • Restrict filesystem permissions on shared machines.
  • Rotate keys if they are exposed.
  • Use separate service keys per environment when possible.

Git provider tokens

Preferred variable:

bash
IFLOWKIT_GIT_TOKEN

Fallbacks may include GitHub and GitLab-specific variables.

Recommendations:

  • Use least-privilege tokens.
  • Avoid pasting tokens into terminal history when possible.
  • Prefer secret managers or CI/CD secret storage.
  • Rotate tokens after suspected exposure.

Logs

Logs are written under:

text
{user-config-dir}/iflowkit/logs/

Avoid sharing logs publicly without reviewing them for sensitive values.

.iflowkit/ repository folder

A sync repository contains .iflowkit/ metadata. This may include package metadata, ignore rules and transport records.

Transport records are useful for audit and retry behavior, but they may reveal operational context such as package IDs, branch names and object IDs.

Review repository visibility before pushing CPI package content or transport metadata to a remote Git provider.

Copyright © 2026 iFlowKit