?

Overview

Rousseau needs credentials for every backend it touches: API keys for LLM providers, bot tokens for chat transports, IMAP/SMTP passwords, cloud auth. This guide covers where they should live in production.

Three postures

Best for personal workstations and one-off daemons.

export ANTHROPIC_API_KEY='sk-ant-…'
export ROUSSEAU_SLACK_APP_TOKEN='xapp-…'
export ROUSSEAU_SLACK_BOT_TOKEN='xoxb-…'

Under systemd user units, the same idea in the [Service] section:

Environment=ROUSSEAU_LOG_FORMAT=json
EnvironmentFile=%h/.config/rousseau/secrets.env

Set secrets.env to chmod 600. Never commit it. Use direnv for shells.

Per-transport map

Field YAML Env
Anthropic API key anthropic.api_key ANTHROPIC_API_KEY (magic)
Bedrock AWS credential chain AWS_PROFILE, AWS_REGION
Vertex vertex.credentials_file GOOGLE_APPLICATION_CREDENTIALS
Slack app token slack.app_token ROUSSEAU_SLACK_APP_TOKEN
Slack bot token slack.bot_token ROUSSEAU_SLACK_BOT_TOKEN
Discord discord.token ROUSSEAU_DISCORD_TOKEN
Telegram telegram.token ROUSSEAU_TELEGRAM_TOKEN
Matrix matrix.access_token ROUSSEAU_MATRIX_ACCESS_TOKEN
Email IMAP pw email.imap_password ROUSSEAU_EMAIL_IMAP_PASSWORD
Email SMTP pw email.smtp_password ROUSSEAU_EMAIL_SMTP_PASSWORD
SMS (Twilio) sms.auth_token ROUSSEAU_SMS_AUTH_TOKEN
iMessage imessage.password ROUSSEAU_IMESSAGE_PASSWORD

Rotation discipline

  • Rotate LLM API keys quarterly. Bedrock/Vertex use the cloud IAM lifecycle instead.
  • Rotate bot tokens whenever an operator leaves the org.
  • After any suspected secret leak, revoke via the provider console first, then re-issue.

Detection

  • Enable govulncheck and secret-scanning in CI (trufflehog, gitleaks).
  • Grep journalctl -u rousseau-*.service for sk-ant- fragments — rousseau logs mask sensitive fields (mask() in internal/cli/doctor.go), but callers should audit any custom code.

Anti-patterns

  • Committing config.yaml to a public repository.
  • export ANTHROPIC_API_KEY=sk-… in .bashrc on a shared host.
  • Storing secrets in the same directory as the workspace bind mount.
  • Reusing a Slack app token across production and dev workspaces.

Related pages

Type to search 150+ pages. Ranking: BM25 with title/description boost.