doppler-secret-validation

仓库: terrylica/cc-skills
安装量: 64
排名: #11710

安装

npx skills add https://github.com/terrylica/cc-skills --skill doppler-secret-validation

Doppler Secret Validation Overview

Workflow for securely adding, validating, and testing API tokens and credentials in Doppler secrets management.

When to Use This Skill

Use this skill when:

User provides API tokens or credentials (PyPI, GitHub, AWS, etc.) User mentions "add to Doppler", "store secret", "validate token" User wants to test authentication before production use User needs to verify secret storage and retrieval Workflow Step 1: Test Token Format (Before Adding to Doppler)

Before storing in Doppler, validate token format:

Check token format, length, prefix

python3 -c "token = 'TOKEN_VALUE'; print(f'Prefix: {token[:20]}...'); print(f'Length: {len(token)}')"

Common token formats:

PyPI: pypi-... (179 chars) GitHub: ghp_... (40+ chars) AWS: 20-char access key + 40-char secret Step 2: Add Secret to Doppler doppler secrets set SECRET_NAME="value" --project PROJECT --config CONFIG

Example:

doppler secrets set PYPI_TOKEN="pypi-AgEI..." \ --project claude-config --config prd

Important: CLI doesn't support --note. Add notes via dashboard:

https://dashboard.doppler.com Navigate: PROJECT → CONFIG → SECRET_NAME Edit → Add descriptive note Step 3: Validate Storage

Use the bundled validation script:

/usr/bin/env bash << 'VALIDATE_EOF' cd ${CLAUDE_PLUGIN_ROOT}/skills/doppler-secret-validation uv run scripts/validate_secret.py \ --project PROJECT \ --config CONFIG \ --secret SECRET_NAME VALIDATE_EOF

This validates:

Secret exists in Doppler Secret retrieval works Environment injection works via doppler run

Example:

uv run scripts/validate_secret.py \ --project claude-config \ --config prd \ --secret PYPI_TOKEN

Step 4: Test API Authentication

Use the bundled auth test script (adapt test_api_authentication() for specific API):

/usr/bin/env bash << 'CONFIG_EOF' cd ${CLAUDE_PLUGIN_ROOT}/skills/doppler-secret-validation doppler run --project PROJECT --config CONFIG -- \ uv run scripts/test_api_auth.py \ --secret SECRET_NAME \ --api-url API_ENDPOINT CONFIG_EOF

Example (PyPI):

doppler run --project claude-config --config prd -- \ uv run scripts/test_api_auth.py \ --secret PYPI_TOKEN \ --api-url https://upload.pypi.org/legacy/

Step 5: Document Usage

After validation, document the usage pattern for the user:

/usr/bin/env bash << 'CONFIG_EOF_2'

Pattern 1: Doppler run (recommended for CI/scripts)

doppler run --project PROJECT --config CONFIG -- COMMAND

Pattern 2: Manual export (for troubleshooting)

export SECRET_NAME=$(doppler secrets get SECRET_NAME \ --project PROJECT --config CONFIG --plain) CONFIG_EOF_2

Step 5b: mise [env] Integration (Recommended for Local Development)

For multi-account GitHub setups or per-directory credential needs, integrate Doppler secrets with mise [env]:

.mise.toml

[ env ]

Option A: Direct Doppler CLI fetch (slower, always fresh)

GH_TOKEN = "{{ exec(command='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}" GITHUB_TOKEN = "{{ exec(command='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"

Option B: Cache for performance (1 hour cache)

GH_TOKEN = "{{ cache(key='gh_token', duration='1h', run='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}" GITHUB_TOKEN = "{{ cache(key='gh_token', duration='1h', run='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"

Note: Set BOTH GH_TOKEN and GITHUB_TOKEN - different tools check different variable names (gh CLI vs npm scripts).

Why mise [env]? Doppler doppler run is session-scoped; mise [env] provides directory-scoped credentials that persist across commands.

See mise-configuration skill for complete patterns.

Common Patterns Multiple Configs (dev, stg, prd)

Add secret to multiple environments:

Production

doppler secrets set TOKEN="prod-value" --project foo --config prd

Development

doppler secrets set TOKEN="dev-value" --project foo --config dev

Verify Secret Across Configs /usr/bin/env bash << 'CONFIG_EOF_3' for config in dev stg prd; do echo "=== $config ===" doppler secrets get TOKEN --project foo --config $config --plain | head -c 20 echo "..." done CONFIG_EOF_3

Security Guidelines Never log full secrets: Use ${SECRET:0:20}... masking Prefer doppler run: Scopes secrets to single command Use --plain only for piping: Human-readable view masks secrets Separate configs per environment: dev/stg/prd isolation Bundled Resources scripts/validate_secret.py - Complete validation suite (existence, retrieval, injection) scripts/test_api_auth.py - Template for API authentication testing references/doppler-patterns.md - Common CLI patterns and examples Reference Doppler docs: https://docs.doppler.com/docs CLI install: brew install dopplerhq/cli/doppler See doppler-patterns.md for comprehensive patterns

返回排行榜