Skip to content

feat(skills): add secret-guard skill and core instruction#56

Open
neneaX wants to merge 1 commit into
canonical:mainfrom
neneaX:feat/secret-guard-skill
Open

feat(skills): add secret-guard skill and core instruction#56
neneaX wants to merge 1 commit into
canonical:mainfrom
neneaX:feat/secret-guard-skill

Conversation

@neneaX

@neneaX neneaX commented Jul 3, 2026

Copy link
Copy Markdown

Summary

Adds a secret-guard skill that lets agents authenticate to APIs and MCP servers without ever seeing secret values. The agent passes credential references (names); a trusted non-LLM broker resolves them from the OS keyring, injects them into the request, scrubs the response, and returns only scrubbed output.

What's included

  • skills/secret-guard/ (registered under the copilot-toolkit collection)
    • SKILL.md — teaches the reference-only model: never possess a secret value, only pass names.
    • scripts/keyring_broker.py — implements two mechanisms:
      • (a) resolve-and-inject (primary): resolves a named credential, injects it into an HTTP header, scrubs the response. The secret lives only in-process for one request.
      • (b) env-injecting exec (discouraged fallback): injects into a single child process's env for legacy CLIs that can only read env vars.
  • assets/instructions/common/secret-guard.instructions.md (core, applyTo: '**') — always-on baseline: authenticate by reference, never read secret files, redact values, sanitize subprocess envs.
  • README — documents the optional scripts/ and references/ skill subfolders (previously undocumented despite being used by several skills).
  • .gitignore — ignore .venv/ created by make lint-md.

Rationale

The naive approach (read .env, then redact) is self-defeating — you must possess a secret to redact it, and regex redaction is trivially bypassed by encoding. This design instead makes it architecturally impossible for the secret to enter the model's context: a trusted layer does resolve → inject → scrub.

Validation

  • ./scripts/validate_collections.sh .
  • ./tests/test_validate.sh
  • ./tests/test_install.sh
  • make lint-md on new/changed markdown ✅
  • Secret scan on the diff ✅ (no secrets)

Notes

  • No version bump — a release tag is expected post-merge per the README release process.

Add a secret-guard skill that lets agents authenticate to APIs and MCP
servers without ever seeing secret values. The agent passes credential
references (names); a trusted non-LLM broker resolves them from the OS
keyring, injects them into the request, scrubs the response, and returns
only scrubbed output.

- skills/secret-guard/: SKILL.md + keyring_broker.py (resolve-and-inject
  primary mechanism, discouraged env-injecting exec fallback), registered
  under the copilot-toolkit collection.
- assets/instructions/common/secret-guard.instructions.md: always-on core
  instruction enforcing authenticate-by-reference and no reading of secret
  files.
- README: document optional skill scripts/ and references/ subfolders.
- .gitignore: ignore .venv/ created by the markdown linter.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@neneaX neneaX requested a review from a team as a code owner July 3, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant