Secrets & access
The one rule
Section titled “The one rule”No credential ever goes in a committed file, a chat log, or this wiki. If you’re about to paste a password, an API key, or a token somewhere — stop and check this page.
Where secrets live
Section titled “Where secrets live”| Kind of secret | Where it belongs |
|---|---|
| Dashboard integrations (SMS providers, Google Ads, Plaid, Stripe) | Encrypted in the dashboard DB — edit via Admin → Integrations & API Keys |
| Server-level config (DB password, app key) | The server’s .env file only |
| Site lead-delivery keys (Resend, Podium) | Cloudflare Pages env vars, per project — remember: env-var changes need a redeploy to take effect |
| Anything a repo needs locally | A gitignored CLAUDE.local.md in that repo (auto-loads for Claude, never committed) |
The committed CLAUDE.md in each repo = operational rules only, never credentials. That
split means the safe half is in git and the sensitive half never leaves the machine/server.
Access
Section titled “Access”- Wiki: viewing should be gated with Cloudflare Access (email-based login) once live —
it’s an internal manual. Editing requires a GitHub account with access to the
bcb-wikirepo. - Dashboard: role-based — super_admin / admin / dispatch / finance. Give people the
lowest role that does their job (dispatchers get
dispatch, bookkeeping getsfinance). Only a super_admin can grant elevated roles. See the roles table. - GitHub: repos are private under
OwnerOperated. Collaborators get added per-repo.
Rotating / fixing credentials
Section titled “Rotating / fixing credentials”- Dashboard webhook signature errors → re-paste the signing secret in Admin → Integrations & API Keys.
- Podium tokens are per Cloudflare Pages project — when rotating, update every site project and redeploy each one (env vars bind only on a new deployment).
- If Google Ads metrics stop pulling, the OAuth refresh token likely expired — regenerate and re-save in Integrations.