| 1 | Project: api-key-auth |
| 2 | |
| 3 | ## Constraints |
| 4 | - Do not hardcode the secret in the source |
| 5 | - Keep it simple |
| 6 | |
| 7 | ## Lessons |
| 8 | - Confirm proposed actions before executing: user_text_decline (text): "No, do not hardcode the secret in the source. Read the API key from an environment variable instead." [node_002] |
| 9 | - Treat privacy boundaries as product requirements: Human flagged a security concern about a prior action with no security label [signal: human security correction]: "No, do not hardcode the secret in the source. Read the API key from an environment variable instead." [node_001, node_003] |
| 10 | - Respect the local environment: User said: "No, do not hardcode the secret in the source. Read the API key from an environment variable instead." [node_001] |
| 11 | - Escalate when user frustration appears: User said: "Here is my test key [REDACTED:anthropic-key], confirm the admin route rejects a bad key." [node_001] |
| 12 | |
| 13 | ## Security |
| 14 | - (high) [node_003] "git commit -am " |
| 15 | - (stated intent) [node_001] "No, do not hardcode the secret in the source. Read the API key from an environment variable instead." |
| 16 | |
| 17 | ## Next |
| 18 | - Continue: Here is my test key [REDACTED:anthropic-key], confirm the admin route rejects a bad key. |
| 19 | - Constraint: No, do not hardcode the secret in the source. |