Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.jacobpevans.com/llms.txt

Use this file to discover all available pages before exploring further.

Doppler holds the values. Everything else is delivery.

What goes in Doppler

  • AI provider keys: OPENROUTER_API_KEY, CLAUDE_CODE_OAUTH_TOKEN, COPILOT_GITHUB_TOKEN, HF_TOKEN.
  • GitHub App credentials: GH_APP_CLAUDE_BOT_*, the SSH signing key for Actions-signed commits.
  • Slack webhooks (broadcast and per-channel).
  • Infrastructure runtime config: database passwords, RunsOn license, Qdrant credentials.

What does not go in Doppler

  • SSH keys for git auth (lives in Bitwarden + ssh-agent).
  • Recovery codes, account passwords, age-key escrow (Bitwarden).
  • Anything an AI tool must never read (Bitwarden vault).
  • macOS-only GitHub PATs (Keychain — see macos-keychain).

Project / config layout

Three Doppler projects, three delivery modes — each lands in a different consumer.
Doppler projectDelivery modeConsumer
secrets-syncAuto-sync → GitHub Actions secrets on the secrets-sync reposecrets-sync workflow fans out (Tier 1)
iac-conf-mgmt/prdRuntime fetch via dopplerhq/secrets-fetch-actionInfra CI jobs (Tier 2 — values never sit in GitHub)
ai-ci-automation/prddoppler run -- wrapper at subprocess launchLocal dev + the doppler-mcp bridge

Runtime fetch via GitHub Actions

For Tier 2 secrets that must never sit in GitHub Actions stores: 
- uses: dopplerhq/secrets-fetch-action@v1
  with:
    doppler-token: ${{ secrets.GH_ACTION_DOPPLER_IAC_CONF_MGMT }}
    inject-env-vars: true
The service token GH_ACTION_DOPPLER_IAC_CONF_MGMT is itself a Tier 1 secret distributed by secrets-sync to the two _infra_repos: ansible-proxmox-apps and terraform-runs-on.

Local-dev chain

The canonical chain pairs AWS Vault with Doppler so an MFA-protected AWS session wraps the Doppler injection: 
aws-vault exec tf-proxmox -- doppler run -- terragrunt plan
Secrets injection happens at terragrunt’s subprocess launch — no values touch your shell history or environment. For Terraform variables specifically, Doppler’s name-transformer flag prefixes everything as TF_VAR_*: 
doppler run --name-transformer tf-var -- terragrunt plan

Anti-patterns and best practices

  • Do not export DOPPLER_TOKEN in ~/.zshrc. Use the doppler-mcp wrapper or doppler login interactive auth. Tokens persisted in the shell env are reachable by every later command.
  • Do not store the same value in both Doppler and the Keychain. Pick one source of truth per secret. The Keychain is for tokens that only the macOS host uses (GitHub PATs); Doppler is for tokens that CI also needs.
  • Rotate the service tokens at 90 days. The rotation runbook lives in secrets-sync.
  • Audit log: enable Doppler’s per-project audit log; review on every PAT/key rotation.

See also

  • secrets-sync — Tier 1 distribution.
  • aws-vault — the wrapping layer for the local-dev chain.
  • BWS — alternative for AI-specific OAuth tokens where Doppler is not yet wired up.
  • docs.dryvist.com — dryvist-internal project / config names.