Infisical (Secrets Management)¶

Purpose: Single source of truth for all secrets and API keys — every service credential lives here, nothing is hardcoded or stored in shell environment.

URL/Endpoint: https://eu.infisical.com (EU endpoint — always use EU, not US)

Auth: Infisical CLI — run infisical login once. Credentials are cached locally for subsequent use.

Key Operations¶

Inject secrets into any command: infisical run --env=dev -- <command>
Run a Python script with secrets: infisical run --env=dev -- python script.py
Retrieve a single secret: infisical run --env=dev -- bash -c 'echo $SECRET_NAME'
Store a new secret interactively: liflode-scripts/powershell/set-secret.ps1 SECRET_NAME

Dependencies¶

Infisical CLI installed on host
EU endpoint (eu.infisical.com) — the US endpoint is not used

ADR-128: All secrets must route through Infisical; ANTHROPIC_API_KEY must never be in shell env

Runbook¶

If a script throws an auth or missing-key error, check that infisical run --env=dev -- is prepended to the command. Never export secrets as shell environment variables — always inject at runtime via the CLI.

Infisical (Secrets Management)¶

Key Operations¶

Dependencies¶

Related ADRs¶

Runbook¶