Prod.key Link

const env = process.env.NODE_ENV; const key = await vault.read(`secret/data/$env/key`); // env = "production" → retrieves prod.key securely | Metric | Before (shared prod.key) | After (isolated keys) | |--------|--------------------------|------------------------| | Prod key exposure | 12 incidents/year | 0 | | Dev onboarding time | 45 min | 5 min | | Rotation cost | 4 hours | 5 min |

| Layer | Tool/Method | |-------|--------------| | Pre-commit | detect-secrets , gitleaks | | Repo scanning | GitHub secret scanning, GitGuardian | | Runtime | HashiCorp Vault, AWS Secrets Manager | | Rotation | Short-lived keys (TTL ≤ 24h) | prod.key

[1] “Secrets in the Code,” OWASP, 2024. [2] GitGuardian State of Secrets Sprawl Report, 2023. Paper 2: Software Engineering (Environment-specific keys) Title: Managing Environment-Specific Keys: Best Practices for dev.key , staging.key , and prod.key const env = process

prod.key must never exist as a static file on developer workstations. Instead, ephemeral keys injected at deploy time and audited centrally eliminate the leak surface. Instead, ephemeral keys injected at deploy time and