Security¶
Do¶
- Store token in user env vars,
.env(gitignored), or.secrets/github_token - Ensure
.gitignoreincludes.secrets/and.env - Use fine-grained tokens scoped to a single repository
- Rotate the token if accidentally exposed
Don't¶
- Never paste the token in agent chat or GitHub issues
- Never commit tokens or share screenshots with tokens visible
- Never use PowerShell scripts in this stack (antivirus / team policy) — Python only
SSL / corporate proxy¶
If you see SSL certificate errors toward api.github.com (common on Windows with corporate AV/proxy, sometimes elsewhere):
Installs optional truststore (uses the OS trust store on Windows).
Token resolution order (CLI)¶
The CLI reads the token automatically:
GITHUB_TOKENin process environment (all OS)- Windows only: user env var from registry (helps IDE terminals)
.envat repo root.secrets/github_token
The agent should run the script directly — not ask the user to paste tokens or commands when configured.