Skip to main content

Documentation Index

Fetch the complete documentation index at: https://jacobpevans-docs-automation-surface.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Every committed value must work for any person who clones the repo right now. Real values come from runtime injection, never the filesystem.
Golden law 1 forbids real secrets in repo content. The table below is the canonical set of shape stand-ins to use instead, plus the injection paths that supply the real values at runtime.

Scrubbed values

TypeScrubbed valueExamples
IPv4 address192.168.0.*Last octet can be accurate when it has no security meaning
IPv6 address2001:db8::*RFC 3849 documentation prefix
External domainexample.comPublic services and APIs
Internal domainexample.localLAN hostnames and services
API endpointhttps://api.example.com:8006/api2/jsonScrubbed domain pattern
Usernameterraform, admin, userGeneric role-based names
Tokens and keysyour-token-here or <token>Clearly marked placeholder
Never write a real value even in a “wrong” example — the example becomes committed text. Use ${USER}, ${REPO_ROOT}, ${MAINTAINER_EMAIL}, ${NAS_HOST}, <redacted> for shape stand-ins where the placeholder needs to look like a variable.

Portable path references

Never commit absolute user paths (/Users/{username}/*, /home/{username}/*, $HOME/*, ~/*).
Bad (user-specific)Good (portable)Use case
/Users/john/.local/bin/tooltoolPATH lookup
entry: /Users/john/.local/bin/ansible-lintentry: ansible-lintPre-commit hooks
~/.ssh/id_rsa# /path/to/your/ssh/keyTemplates
$HOME/git/nix-config/main${NIX_CONFIG_PATH}/mainEnv var for external paths
/home/user/project/file.txt./file.txtRelative paths within a project

Variable indirection

Always reference sensitive values through a variable: 
# CORRECT
provider "proxmox" {
  pm_api_url      = var.proxmox_api_endpoint
  pm_api_token_id = var.proxmox_api_token
}

# WRONG — hardcoded real values
provider "proxmox" {
  pm_api_url      = "https://192.168.0.52:8006/api2/json"
  pm_api_token_id = "terraform@pam!abc123xyz="
}

Runtime secret injection

Real values come from one of these stores — never the repo:
  • macOS Keychain (ai-secrets, automation, elevate-access keychains) — for AI / Claude projects and local CLI use, never in files or env vars
  • Dopplerdoppler run --name-transformer tf-var for infrastructure
  • SOPS + age — encrypted secrets at rest in git
  • Environment variables — CI/CD secrets or local .env files (never committed)
  • AWS Secrets Manager / Parameter Store — for AWS deployments
  • SSH agent — agent forwarding only; never commit keys
Tool deep-dives for each store live under Secrets tools.

macOS Keychain reuse

Every keychain read triggers a password approval prompt. Fetch the secret once into a shell variable, then inject the variable into every command that needs it. Never inline $(security find-generic-password ...) in each command. 
# WRONG — prompts on every command
TF_VAR_anthropic_key=$(security find-generic-password -s ANTHROPIC_API_KEY -w "${HOME}/Library/Keychains/ai-secrets.keychain") terragrunt plan
TF_VAR_anthropic_key=$(security find-generic-password -s ANTHROPIC_API_KEY -w "${HOME}/Library/Keychains/ai-secrets.keychain") terragrunt apply

# CORRECT — one prompt, then inject the variable
ANTHROPIC_API_KEY=$(security find-generic-password -s ANTHROPIC_API_KEY -w "${HOME}/Library/Keychains/ai-secrets.keychain")
TF_VAR_anthropic_key=$ANTHROPIC_API_KEY terragrunt plan
TF_VAR_anthropic_key=$ANTHROPIC_API_KEY terragrunt apply
The same pattern applies to any keychain-backed secret and any security find-*-password invocation.

What this connects to

Golden laws

The 15 non-negotiables — this page is the implementation of law 1.

Security overview

Which tool to reach for, for which kind of secret.

macOS Keychain

Tiered keychains, biometric unlock, the elevate-access boundary.

SOPS

Encrypted-at-rest config that can live in the repo without violating law 1.