tighten secret handling guidance
This commit is contained in:
@@ -33,12 +33,13 @@ Always invoke pass_mgr through the `pcexec` tool. Do NOT run pass_mgr directly.
|
|||||||
|
|
||||||
## Usage notes
|
## Usage notes
|
||||||
|
|
||||||
- Treat all outputs as sensitive. Do not echo secrets unless explicitly requested.
|
- Treat all outputs as sensitive. Never echo secrets.
|
||||||
- When the agent needs credentials to access a resource, first try `list` to see if a matching key already exists before asking the user.
|
- When the agent needs credentials to access a resource, first try `list` to see if a matching key already exists before asking the user.
|
||||||
- Prefer `generate` when the user wants a new secret or password.
|
- Prefer `generate` when the user wants a new secret or password.
|
||||||
- Use `set` to store both username and secret in one step.
|
- Use `set` to store both username and secret in one step.
|
||||||
- Use `get-username` and `get-secret` for retrieval.
|
- Use `get-username` and `get-secret` for retrieval.
|
||||||
- Storing can be explicit (user asks) or proactive after the agent successfully registers/creates an account.
|
- Storing can be explicit (user asks) or proactive after the agent successfully registers/creates an account.
|
||||||
|
- Secrets should be fetched and used immediately in a command, not displayed (e.g., `xxx_cli login --user $(pass_mgr get-username some_key) --pass $(pass_mgr get-secret some_key)`).
|
||||||
|
|
||||||
## Examples (pcexec)
|
## Examples (pcexec)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user