# Config And Secrets

This document describes the current config layout and the intended secret-handling boundary for the Debian deployment.

## Current Config Files In Repo

Main runtime config examples live under:

- `share/conf/db.txt`
- `share/conf/game.txt`

These files are part of the runtime tree and are required by the legacy server layout.

## Important Security Boundary

The repository currently contains literal config values for legacy compatibility. They must be treated as bootstrap/default values, not as a safe long-term secret store.

Practical rule:

- do not treat git-tracked config files as the final production secret source of truth

## What Should Not Live In Git

Do not commit:

- production DB passwords
- real admin page passwords
- host-specific private tokens
- private SSH material
- per-environment override files with live secrets

## Current Operational Model

For the current Debian VPS:

- root-only operational wrappers may inject short-lived values locally
- headless login healthcheck uses a temporary password via environment, not a command-line literal
- the installed wrapper is root-only and not network-facing

## Admin Page Password

The source repository now supports hardening for the admin page password. The long-term goal should be:

- no implicit production default
- host-local secret injection
- explicit runtime validation

## Recommended Direction

The Debian deployment should eventually move to a clearer contract such as:

- git-tracked template/default files
- host-local env file or secret file owned by root
- documented override points

Until that is done, keep all real secret rotation and secret overrides on the host, not in commits.