Security
Security
Automation should use least-privilege tokens, keep platform credentials server-side, and avoid writing generated secrets into repo files.
CI tokens
- Use PDS_TOKEN for CI and keep it in the CI secret store.
- rawToken is returned once when a token is created; store only that value in the secret store.
- Never commit tokens, credentials, .env files, or generated token output.
- Never print bearer values or generated tokens in agent summaries.
Platform publish prerequisites
- List distribution connections through the CLI before publish.
- Select the server-side platform connection with the CLI when needed.
- YouTube OAuth credentials stay server-side.
- Never store YouTube OAuth credentials or connected-account secrets in CLI config, repo files, or CI.
Least-privilege scopes
- project:create
- project:read
- project:write
- pipeline:run
- artifact:read
- distribution:package
- distribution:publish
- token:manage
Include token:manage only for flows that create, list, or revoke automation tokens.
Cloud wildcard project tokens require a Firebase admin custom claim on a direct interactive admin auth flow. PDS agent-token profiles cannot mint cloud wildcard tokens; release automation should use project:create instead.
Redaction expectations
- Public metadata such as token id, label, scope list, project allowlist, and expiration may be summarized.
- Credential values, bearer values, refresh values, one-time token output, and platform account secrets must be redacted.
- If a command fails, preserve error.code and exit code without copying private diagnostics.