# Git and secrets policy

## Git

All durable text assets should be reviewable in Git.

Good candidates:

- architecture docs
- runbooks
- shared knowledge
- non-secret `.env.example`
- SOUL.md identity files
- desired cron declarations
- reusable skills

Bad candidates:

- `.env`
- auth files
- SSH keys
- tokens
- runtime databases
- sessions
- logs
- generated scheduler output
- caches

## Before committing

Run:

```bash
git status --short --branch --untracked-files=all
git diff --check
```

For Agent0, also run:

```bash
python3 -m json.tool agents/gerhard-hermes/cron/desired-jobs.json >/dev/null
docker compose config --services >/dev/null
```

## Secrets

Never read or commit live secret files unless the human explicitly asks and the action is necessary.

Sensitive filenames include:

- `.env`
- `secrets.env`
- `auth.json`
- SSH private keys
- token files
- password dumps

When documenting required credentials, use names and placeholders only:

```text
CONTENT_API_KEY=***
AGENT_PASSWORD=***
```