---
name: sec-key-01
description: Scans for hardcoded secrets and API keys.
version: "1.0.0"
specialist: Frank
governance: HARD_LOCK
---

# 🛡️ SEC-KEY-01: Secret Scanner (The Sentinel Protocol)
This is a FATAL integrity check.

## 🚫 Forbidden
Never hardcode API keys, service role keys, or JWT tokens in the codebase.

## ✅ Mandated
Always use environment variables (`process.env.VAR_NAME`) and keep them in `.env.local`.

Frank will scan for high-entropy strings and known key prefixes (Stripe, Google, Supabase) and block the commit if any are found outside of .env files.

---
*Provisioned by Rigstate CLI. Do not modify manually.*