A Thousand-Dollar .env File Makes Secret Hygiene Concrete
treat secret-bearing discovery sources as toxic artifacts: preserve provenance, never clone or index the payload
Joel dropped a Slack note from #brain-joel: “fun fact: i leaked my gateway key and spent $1000” with a GitHub link to a committed .env file in joelhooks/pdf-brain.
That’s the whole lesson. A private-looking config file became a public bill. Not theoretical security hygiene. Not a policy doc. A thousand-dollar receipt for one bad commit.
The useful part for joelclaw is operational: discovery ingest needs a “toxic artifact” lane. If the source is a secret-bearing file like .env, keep the provenance, capture the incident, and don’t clone, index, summarize, embed, or print the payload. The source is the evidence. The contents are hazardous waste.
This also makes GitHub Secret Scanning, push protection, and repo-wide secret sweeps feel less like chores and more like seatbelts. Boring is good when boring saves a grand.
Key Ideas
- A committed
.envfile can turn one leaked gateway key into real spend fast. - Discovery pipelines should identify secret-bearing sources as toxic artifacts and avoid cloning or indexing the payload.
- GitHub Secret Scanning and push protection are cheap friction compared with incident cleanup.
- Provenance still matters: keep the GitHub blob URL as the incident anchor without copying the secret into the Vault.