# Secrets Handling (Orchestrator additions)

Last updated: 2025-11-25

## Principles
- Secrets are stored in Authority and referenced via `secretRef`; services never persist raw secrets.
- No secrets in logs, traces, metrics, crash dumps, or health endpoints.
- Offline/air-gap: secrets are delivered through sealed bundles and loaded at startup only.

## Orchestrator-specific rules (DOCS-ORCH-34-002)
- Plugin steps receive secrets via `secretRef`; workers fetch at step start and keep in-memory only for the step scope.
- Secrets are not written to the run ledger, artifacts, or NDJSON exports; only `secretRef` identifiers may appear.
- Network egress is deny-by-default; allowlists must reference `secretRef`-protected credentials when needed.
- Cancellation and retries must not log or surface secret material; redaction applies to all error paths.

## Audit checklist
- [ ] Every plugin configuration uses `secretRef`, not inline values.
- [ ] Logs/traces verified to contain no secret payloads (redaction tests).
- [ ] Run ledger verified to store hashes/refs only.
- [ ] Secret refresh/rotation tested (Authority + worker reload).