affine-secret-name-check
Keep local `.env` secret key names aligned with the AFFiNE document `SECRETS + INTERNET`. This is a review-first workflow: compare, report, and only propose changes after explicit confirmation.
Install
mkdir -p .claude/skills/affine-secret-name-check && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/15124" && unzip -o skill.zip -d .claude/skills/affine-secret-name-check && rm skill.zipInstalls to .claude/skills/affine-secret-name-check
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Keep local `.env` secret key names aligned with the AFFiNE document `SECRETS + INTERNET`. This is a review-first workflow: compare, report, and only propose changes after explicit confirmation.About this skill
Skill: affine-secret-name-check
Purpose
Keep local .env secret key names aligned with the AFFiNE document SECRETS + INTERNET.
This is a review-first workflow: compare, report, and only propose changes after explicit confirmation.
When to use
- You want to check that new
.envkeys follow the existing naming convention. - You want to see which services exist in
.envbut are missing in AFFiNE. - You want to detect AFFiNE rows that no longer have a matching local key.
Inputs
- Local
.envfile, defaulting to.env. - AFFiNE document title
SECRETS + INTERNET. - Optional exported AFFiNE table if the live document cannot be read directly.
Execution rules
- Run the helper from the repo root with
uv run python .github/skills/affine-secret-name-check/sync_secrets.py. - Do not install Python packages globally.
- If a dependency is ever required, add it locally with
uv; never usepipor a global package install for this skill. - Prefer zero extra dependencies; this skill should work with the standard library only.
Available AFFiNE tools
mcp_affine-429tmr_keyword_searchmcp_affine-429tmr_read_documentmcp_affine-429tmr_semantic_search
Validation rules
- Treat a key as valid when it is uppercase, underscore-separated, and contains at least two segments:
^[A-Z0-9]+(?:_[A-Z0-9]+)+$. - Normalize for comparison only. Do not rewrite
.envunless the user explicitly approves it. - Never copy secret values into AFFiNE, logs, or summaries. Use
<redacted>when an example value is needed.
Workflow
- Read
.envand collect non-empty, non-comment keys. - Search AFFiNE for
SECRETS + INTERNET. If multiple documents match, prefer the exact title. - Read the document body and extract the first structured table.
- Compare rows and keys using the service prefix heuristic. Default to the first segment before
_; if that is ambiguous, ask the user instead of guessing. - Report three buckets: env-only keys, AFFiNE-only rows, and keys that look malformed.
- For each missing service row, propose a friendly display name, an example env key, and a link only if it can be inferred safely from a URL value.
- Summarize the findings and wait for confirmation before any write or edit action.
- If no AFFiNE write API is available, output a paste-ready manual edit instead of pretending to sync automatically.
Helper script
Use uv run python sync_secrets.py for a local dry-run report. It should parse .env, optionally read an exported AFFiNE markdown table, and print mismatches without exposing secret values.
Example
- Local key:
[email protected] - AFFiNE row:
Example Creds | EXAMPLE_KEY_VALUE | https://example.com
Expected behavior:
- Treat
EXAMPLEas the service prefix. - Propose a missing AFFiNE row when the service is absent.
- Ask for a link only when it cannot be inferred safely.
End.