Secrets management

Never commit keys

API keys, database credentials, signing secrets, and license tokens must never appear in source code or version control. Meridian enforces this at the repository level with pre-commit hooks that scan for high-entropy strings matching known key patterns.

If a secret is accidentally committed, rotate it immediately and force-push a cleaned history. A compromised key invalidates the entire trust chain.

Use .env files

All secrets flow through environment variables. The loader reads from .env.local in development and from Vercel Environment Variables in production. Never hardcode fallback values — fail fast if a required variable is missing.

Rotate often

Every secret in Meridian has a maximum lifetime. License signing keys rotate every 90 days. API tokens rotate every 30 days. Session signing secrets rotate on every deploy. Automated rotation scripts run in CI and publish new values to Vercel before revoking the old ones — zero-downtime rotation is non-negotiable.

• Ed25519 license keys — 90-day rotation
• Upstash Redis tokens — 30-day rotation
• Session HMAC secrets — per-deploy rotation

Scope per tier

Not every component needs every secret. The loader binary only receives the public verification key — never the private signing key. The dashboard only receives read-scoped Redis tokens. The Discord bot only receives the bot token and a webhook secret. Principle of least privilege applied at the environment-variable level.