{
  "id": "secrets_management",
  "label": "Secrets Management Canonical",
  "phase": "phase-08",
  "category": "security_governance",
  "status": "ACTIVE_DH_MIRROR",
  "purpose": "Define how DEVON-DEV protects .env files, tokens, passwords, API keys, SSH keys, database credentials, production credentials and any sensitive runtime secret before an operator, tool, LLM prompt, log stream or UI surface can touch them.",
  "function": "Prevent credential leakage by masking sensitive values, separating sandbox and production secrets, enforcing secret_access permission, registering aliases and fingerprints instead of raw values, redacting prompts/logs and blocking unnecessary secret exposure to the LLM.",
  "secret_contract": {
    "requires_secret_inventory": true,
    "requires_secret_alias": true,
    "requires_secret_fingerprint": true,
    "requires_secret_type": true,
    "requires_environment_scope": true,
    "requires_project_scope": true,
    "requires_owner": true,
    "requires_access_policy": true,
    "requires_rotation_status": true,
    "requires_redaction_policy": true,
    "requires_secret_access_permission": true,
    "requires_audit_link": true,
    "blocks_raw_secret_logging": true,
    "blocks_raw_secret_ui_display": true,
    "blocks_raw_secret_prompt_injection": true,
    "blocks_cross_environment_secret_reuse": true,
    "blocks_production_secret_access_without_permission": true,
    "blocks_external_transmission_without_policy": true,
    "decision_authority": "NONE_FSM_DECIDES"
  },
  "protected_secret_classes": [
    ".env",
    "api_token",
    "password",
    "ssh_key",
    "database_credential",
    "service_account_key",
    "webhook_secret",
    "oauth_secret",
    "jwt_secret",
    "encryption_key",
    "production_credential",
    "sandbox_credential"
  ],
  "technology_requirements": [
    {
      "technology": "Secrets Store",
      "required_for": "Store or reference DEVON-DEV secrets through aliases, fingerprints, scopes and access policy rather than raw values in configuration, logs, prompts or panel state.",
      "required_by_phase": "phase-08",
      "required_by_category": "secrets_management",
      "required_by_buckets": [
        "Prerequisites",
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until secret alias registry, fingerprinting and scoped lookup exist",
      "validation_command": "MISSING until secret lookup can prove alias, fingerprint, environment_scope, access_policy, no raw value exposure and audit link",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/secrets_management_canonical.json",
      "status_source": "Documentation Hub + future Secrets Store + RBAC Service + Audit Trail Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Secrets Store, DEVON-DEV must handle credentials as raw text and cannot prove that secret material stayed out of logs, prompts, UI and unauthorized tool paths."
    },
    {
      "technology": "Secret Masking Engine",
      "required_for": "Mask sensitive values in terminal output, logs, panel views, validation output, shell output, error traces and diagnostic records.",
      "required_by_phase": "phase-08",
      "required_by_category": "secrets_management",
      "required_by_buckets": [
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery"
      ],
      "expected_version": "MISSING until masking patterns, fingerprint matching and output filters exist",
      "validation_command": "MISSING until masking check can prove raw input, masked output, secret class, fingerprint match and leak-prevention result",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/secrets_management_canonical.json",
      "status_source": "Documentation Hub + future Logging Stack + Execution Logs + Security Monitoring",
      "blocking_if_missing": true,
      "failure_impact": "Without Secret Masking Engine, a valid command, traceback, test output or log stream can expose credentials while appearing operationally successful."
    },
    {
      "technology": "Prompt Secret Redaction",
      "required_for": "Prevent raw secrets from being sent to the LLM unless a narrowly governed, evidence-backed exception exists.",
      "required_by_phase": "phase-08",
      "required_by_category": "secrets_management",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until prompt assembly can detect secret-like values and replace them with aliases or fingerprints",
      "validation_command": "MISSING until prompt redaction can prove secret detected, alias substituted, raw value excluded, reason recorded and audit link emitted",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/secrets_management_canonical.json",
      "status_source": "Documentation Hub + future Prompt Governance + Prompt / Instruction Assembly + Audit Trail Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Prompt Secret Redaction, DEVON-DEV can leak credentials into model context and lose control of where the secret material travels."
    },
    {
      "technology": "Environment Secret Boundary",
      "required_for": "Separate sandbox, production, project-specific and service-specific credentials so an operation cannot reuse or expose secrets outside its authorized environment.",
      "required_by_phase": "phase-08",
      "required_by_category": "secrets_management",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until environment-scoped secret policy and lookup enforcement exist",
      "validation_command": "MISSING until environment boundary check can prove secret_scope, requested_environment, actor_permission, allow/deny result and audit record",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/secrets_management_canonical.json",
      "status_source": "Documentation Hub + future Environment Registry + RBAC Service + Secrets Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Environment Secret Boundary, sandbox work can accidentally use production credentials or expose project secrets across environment lines."
    },
    {
      "technology": "Secret Rotation Registry",
      "required_for": "Track credential age, rotation status, replacement plan, revoked state and leak-response requirements.",
      "required_by_phase": "phase-08",
      "required_by_category": "secrets_management",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until rotation metadata and leak-response workflow exist",
      "validation_command": "MISSING until rotation registry can prove secret alias, fingerprint, created_at, rotated_at, revoked_at, owner and current status",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/secrets_management_canonical.json",
      "status_source": "Documentation Hub + future Secrets Store + Security Monitoring + Incident Management",
      "blocking_if_missing": false,
      "failure_impact": "Without Secret Rotation Registry, DEVON-DEV cannot distinguish current, stale, revoked or suspected-leaked credentials during recovery and incident response."
    }
  ],
  "depends_on": [
    "sec",
    "rbac_permissions",
    "fsm_absolute_decision",
    "decision_rule_registry",
    "tool_registry",
    "policy_compiler",
    "config_registry",
    "environment_registry",
    "multi_project_isolation",
    "data_governance",
    "compliance_legal_guardrails",
    "execution_ledger",
    "execution_logs",
    "audit_trail",
    "architecture_source_registry"
  ],
  "used_by": [
    "app_security",
    "runtime_security",
    "delivery_security",
    "security_monitoring",
    "multi_project_isolation",
    "data_governance",
    "compliance_legal_guardrails",
    "filesystem_operations",
    "shell_execution",
    "production_deployment_gate",
    "external_knowledge_access",
    "prompt_governance",
    "prompt_instruction_assembly",
    "future_execution_monitoring_panel"
  ]
}
