If you discover a security issue in these dotfiles (e.g., accidentally committed secrets, insecure script patterns), please:
- Open an issue on this repository, or
- Contact me directly via GitHub
This repository follows a strict separation between configuration and secrets:
| File | Purpose | Committed |
|---|---|---|
.env.example |
Documents required environment variables | Yes |
.env |
Contains actual API keys and tokens | No |
*-secret-*.zsh |
Machine-specific secret configs | No |
See .env.example for the full list of environment variables needed:
GITHUB_PERSONAL_ACCESS_TOKEN- GitHub API accessCONTEXT7_API_KEY- Library documentation MCP serverOBSIDIAN_API_KEY- Local Obsidian REST APINTFY_TOPIC- Push notification topic
# Copy the example file
cp .env.example .env
# Edit with your actual values
$EDITOR .envThe .gitignore excludes:
- Environment files:
.env,.env.local - Application state: Session files, history, caches
- Machine-specific configs: Work configurations, local overrides
- Sensitive app data: GitHub CLI tokens, 1Password configs, Raycast data
- All secrets loaded via environment variables, never hardcoded
- Git hooks and push protection prevent accidental secret commits
- Sensitive directories explicitly ignored in
.gitignore