fix(config): refuse to write secret keys to git-tracked config.yaml

[kevglynn]

Summary

P0 security fix. bd config set for secret keys (api_key, secret, token, password) now detects whether the target config.yaml is tracked by git and refuses the write with an actionable error message.

This addresses the verified credential-leak-on-default-path: the documented setup (bd config set linear.api_key ...) writes to .beads/config.yaml which is git-tracked by default, leaking Linear API keys into git history.

Changes

• internal/config/yaml_config.go — Added IsSecretKey, isGitTracked, CheckSecretKeyGitSafety functions. Secret key detection uses substring matching against api_key, secret, token, password. Git tracking detection uses git ls-files --error-unmatch.
• cmd/bd/config.go — Wired the safety check into config set and config set-many. Added --force-git-tracked escape hatch flag.
• cmd/bd/init_templates.go — Fixed stale comment that incorrectly claimed secrets are "stored in the database" — now documents they're in config.yaml and recommends env vars.
• examples/linear-workflow/README.md — Replaced bd config set linear.api_key with export LINEAR_API_KEY=...
• docs/CONFIG.md — Linear setup section now leads with env var approach.

Test plan

• 3 new tests: refuses git-tracked secret write, allows untracked config, allows non-secret keys on tracked config
• Full internal/config test suite passes (0 regressions)
• go vet clean
• --force-git-tracked escape hatch works for test environments

Backward compatibility

• Existing configurations are read unchanged; only writes are gated
• Non-secret config keys (linear.team_ids, linear.priority_map.*, etc.) are unaffected
• --force-git-tracked provides an opt-out for CI/test environments

Charter compliance

Security hygiene of an existing flow. No new features, no new config surface beyond the --force-git-tracked flag.

Related

• See also bug: bd export includes wisps in JSONL by default — privacy boundary violation #3649 (wisp leak) and bug: bd export includes memories in JSONL — private agent context leaks to git #3650 (memory leak) for additional privacy boundary fixes

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

[codecov-commenter]

Codecov Report

❌ Patch coverage is 77.77778% with 14 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
cmd/bd/config.go	18.18%	9 Missing ⚠️
internal/config/yaml_config.go	88.63%	5 Missing ⚠️

📢 Thoughts on this report? Let us know!

[maphew]

Found two issues that should be fixed before merge:

1. cmd/bd/config.go:114: config set runs CheckSecretKeyGitSafety before checking IsYamlOnlyKey, so DB-backed secret-looking keys like notion.token are refused whenever .beads/config.yaml is tracked, even though they would not write to config.yaml. config set-many only checks yamlPairs, so the behavior is inconsistent. Move the check inside the YAML-only branch or make CheckSecretKeyGitSafety ignore non-YAML keys.

2. internal/config/yaml_config.go:126: secretKeyEnvVarHint generates generic env vars like AI_API_KEY for ai.api_key, but the code paths that use that config read ANTHROPIC_API_KEY. For a tracked config, the remediation message can tell users to set an env var Beads does not consume. This needs either key-specific env var mapping or the message should avoid suggesting unsupported env vars.

Verification performed locally:

• go test ./internal/config passed.
• go test ./cmd/bd -run 'Test.*Config|Test.*Notion|Test.*Linear' could not build in this environment because ICU headers are missing: unicode/uregex.h.

[maphew]

Maintainer follow-up pushed to the contributor branch in b3ab06b54 per PR_MAINTAINER_GUIDELINES.md instead of leaving this blocked on review rounds.

The follow-up addresses the two findings from my prior review:

• Secret git-tracking safety now ignores non-YAML-backed secret-looking keys such as notion.token, avoiding the config set / config set-many inconsistency.
• Env var remediation now uses real known env vars (LINEAR_API_KEY, GITHUB_TOKEN, ANTHROPIC_API_KEY) and falls back to BD_... for Viper-backed YAML config keys.

Local verification:

• gofmt on touched files
• git diff --check
• go test ./internal/config

Full PR CI is running on the new head commit.