> ## Documentation Index
> Fetch the complete documentation index at: https://docs.jacobpevans.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Scrubbed values

> The canonical placeholders for IPs, domains, usernames, and tokens in every committed file. Variable indirection, portable paths, keychain reuse.

> Every committed value must work for any person who clones the repo right now. Real values come from runtime injection, never the filesystem.

[Golden law 1](/security/golden-laws#1-no-secret-at-rest-in-plaintext-outside-an-authorized-store) forbids real secrets in repo content. The table below is the canonical set of shape stand-ins to use *instead*, plus the injection paths that supply the real values at runtime.

## Scrubbed values

| Type            | Scrubbed value                           | Examples                                                   |
| --------------- | ---------------------------------------- | ---------------------------------------------------------- |
| IPv4 address    | `192.168.0.*`                            | Last octet can be accurate when it has no security meaning |
| IPv6 address    | `2001:db8::*`                            | RFC 3849 documentation prefix                              |
| External domain | `example.com`                            | Public services and APIs                                   |
| Internal domain | `example.local`                          | LAN hostnames and services                                 |
| API endpoint    | `https://api.example.com:8006/api2/json` | Scrubbed domain pattern                                    |
| Username        | `terraform`, `admin`, `user`             | Generic role-based names                                   |
| Tokens and keys | `your-token-here` or `<token>`           | Clearly marked placeholder                                 |

Never write a real value even in a "wrong" example — the example becomes committed text. Use `${USER}`, `${REPO_ROOT}`, `${MAINTAINER_EMAIL}`, `${NAS_HOST}`, `<redacted>` for shape stand-ins where the placeholder needs to look like a variable.

## Enforcement: the secret-scan gate

The public `docs` repo runs a fail-closed [gitleaks](https://github.com/gitleaks/gitleaks) check (`.github/workflows/secret-scan.yml`) on every PR and push to `main`, via [`gitleaks-action`](https://github.com/gitleaks/gitleaks-action). A finding fails the job, so a sensitive value cannot merge.

So the *list of what counts as sensitive stays private*, the rule set is **never committed**. It lives only as the `dryvist` org Actions secret `GITLEAKS_PRIVATE_CONFIG`, injected into CI at run time. The scan runs with `--redact`, and the public-output features (PR comments, SARIF artifact, job summary) are disabled, so neither the patterns nor any match ever surface publicly. `useDefault` covers generic credentials; org-specific rules cover the values that must never appear here.

The same gate runs on the draft PRs opened by the [Docs Sync routine](/automation/scheduled-routines/claude-code-routines), so machine-authored content is held to the same bar as anything authored by hand.

## Portable path references

**Never commit absolute user paths** (`/Users/{username}/*`, `/home/{username}/*`, `$HOME/*`, `~/*`).

| Bad (user-specific)                          | Good (portable)           | Use case                        |
| -------------------------------------------- | ------------------------- | ------------------------------- |
| `/Users/john/.local/bin/tool`                | `tool`                    | PATH lookup                     |
| `entry: /Users/john/.local/bin/ansible-lint` | `entry: ansible-lint`     | Pre-commit hooks                |
| `~/.ssh/id_rsa`                              | `# /path/to/your/ssh/key` | Templates                       |
| `$HOME/git/nix-config/main`                  | `${NIX_CONFIG_PATH}/main` | Env var for external paths      |
| `/home/user/project/file.txt`                | `./file.txt`              | Relative paths within a project |

## Variable indirection

Always reference sensitive values through a variable:

```hcl theme={null}
# CORRECT
provider "proxmox" {
  pm_api_url      = var.proxmox_api_endpoint
  pm_api_token_id = var.proxmox_api_token
}

# WRONG — hardcoded real values
provider "proxmox" {
  pm_api_url      = "https://192.168.0.52:8006/api2/json"
  pm_api_token_id = "terraform@pam!abc123xyz="
}
```

## Runtime secret injection

Real values come from one of these stores — never the repo:

* **macOS Keychain** (`ai-secrets`, `automation`, `elevate-access` keychains) — for AI / Claude projects and local CLI use, never in files or env vars
* **Doppler** — `doppler run --name-transformer tf-var` for infrastructure
* **SOPS + age** — encrypted secrets at rest in git
* **Environment variables** — CI/CD secrets or local `.env` files (never committed)
* **AWS Secrets Manager / Parameter Store** — for AWS deployments
* **SSH agent** — agent forwarding only; never commit keys

Tool deep-dives for each store live under [Secrets tools](/security/overview#which-tool-for-which-secret).

## macOS Keychain reuse

**Every keychain read triggers a password approval prompt.** Fetch the secret once into a shell variable, then inject the variable into every command that needs it. Never inline `$(security find-generic-password ...)` in each command.

```bash theme={null}
# WRONG — prompts on every command
TF_VAR_anthropic_key=$(security find-generic-password -s ANTHROPIC_API_KEY -w "${HOME}/Library/Keychains/ai-secrets.keychain") terragrunt plan
TF_VAR_anthropic_key=$(security find-generic-password -s ANTHROPIC_API_KEY -w "${HOME}/Library/Keychains/ai-secrets.keychain") terragrunt apply

# CORRECT — one prompt, then inject the variable
ANTHROPIC_API_KEY=$(security find-generic-password -s ANTHROPIC_API_KEY -w "${HOME}/Library/Keychains/ai-secrets.keychain")
TF_VAR_anthropic_key=$ANTHROPIC_API_KEY terragrunt plan
TF_VAR_anthropic_key=$ANTHROPIC_API_KEY terragrunt apply
```

The same pattern applies to any keychain-backed secret and any `security find-*-password` invocation.

## What this connects to

<CardGroup cols={2}>
  <Card title="Golden laws" icon="shield-halved" href="/security/golden-laws">
    The 15 non-negotiables — this page is the implementation of law 1.
  </Card>

  <Card title="Security overview" icon="lock" href="/security/overview">
    Which tool to reach for, for which kind of secret.
  </Card>

  <Card title="macOS Keychain" icon="key" href="/security/tools/macos-keychain">
    Tiered keychains, biometric unlock, the elevate-access boundary.
  </Card>

  <Card title="SOPS" icon="file-shield" href="/security/tools/sops">
    Encrypted-at-rest config that can live in the repo without violating law 1.
  </Card>
</CardGroup>
