From acaa644e250aa6c537afe68ed9b4e129c787a083 Mon Sep 17 00:00:00 2001
From: Ivan Malison <IvanMalison@gmail.com>
Date: Wed, 18 Feb 2026 22:08:18 -0800
Subject: [PATCH] Clarify credential handling in AGENTS instructions

---
 dotfiles/agents/AGENTS.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dotfiles/agents/AGENTS.md b/dotfiles/agents/AGENTS.md
index 5505f9f1..704a9958 100644
--- a/dotfiles/agents/AGENTS.md
+++ b/dotfiles/agents/AGENTS.md
@@ -50,6 +50,8 @@
 - When a credential (password, API key, token, etc.) is needed to complete a task, use the `pass` utility to retrieve it.
 - The pass password store lives at `~/.password-store/`.
 - Use `pass show <entry>` to retrieve a secret, or `pass find <search-term>` to locate entries.
+- Never write passwords or other credentials directly into version-controlled files in any repo (for example `dotfiles/claude/settings.local.json`).
+- Provide credentials to tools/config at runtime via environment variables or inline `pass` usage instead of committing them.
 - Never hardcode credentials or store them in plain text files.
 
 ## Project links (local symlink index)