Security
Security in iFlowKit Core starts with a simple rule: do not put secrets in source code.
Never commit secrets
Do not commit:
- CPI credentials
- OAuth client secrets
- service key JSON files
- tenant-specific production endpoints if they are sensitive
- generated archives containing secrets
Recommended credential model
Use package manifests to declare what credentials are required, but keep actual values in tenant/runtime configuration.
The manifest should document expectations; it should not contain secret values.
Logging
Avoid logging:
- access tokens
- client secrets
- authorization headers
- raw service key JSON
- sensitive payload data
Operational recommendations
- Rotate secrets if accidental exposure occurs.
- Use
.gitignoreto block local credential files. - Review package manifests before release.
- Keep PRD tenant operations explicit and controlled.
- Document the owner of each credential and environment mapping.