Fail-closed & secrets

Fail-closed

If ProdVerdict cannot evaluate a contract — missing credentials, invalid YAML, unreachable database — it fails rather than silently passing.

# Missing STRIPE_SECRET_KEY → exit 2 (config error), not pass
npx prodverdict check access

This applies to CLI, GitHub Action, and MCP.

Credential guidance

Secret	Recommendation
`STRIPE_SECRET_KEY`	Restricted read-only key (`rk_`)
`DATABASE_URL`	Read-only DB role
`PADDLE_API_KEY`	Read-only where supported

Never commit .env or real customer fixtures.

Logs and output

CLI and Action output redact secrets. Upload to prodverdict.com sends findings JSON and metadata — not raw Stripe rows or user emails.

Remote MCP boundary

Remote MCP at https://prodverdict.com/api/mcp runs config and migration contracts against files fetched via the GitHub App. Access contract (Stripe + DB) stays on local MCP or your CI — billing secrets never leave your runtime.

Fail-closed​

Credential guidance​

Logs and output​

Remote MCP boundary​

Fail-closed

Credential guidance

Logs and output

Remote MCP boundary