infisical-patternslisted

# Infisical Patterns Core patterns for managing secrets with Infisical. ## .infisical.json Convention The `.infisical.json` file binds a project directory to an Infisical workspace: ```json { "workspaceId": "abc123-def456-ghi789", "defaultEnvironment": "dev", "gitBranchToEnvironmentMapping": null } ``` **Rules:** - **Commit** `.infisical.json` to git (it contains no secrets, just workspace binding) - **Do NOT commit** `.env`, `.env.local`, or any file containing secret values ## Secret Naming Convention Use `UPPER_SNAKE_CASE` for all secret names: ```bash # Correct DATABASE_URL REDIS_HOST STRIPE_SECRET_KEY AWS_ACCESS_KEY_ID # Wrong databaseUrl # camelCase redis-host # kebab-case stripe.secret.key # dotted ``` ## Folder Organization Organize secrets by **consumer/service** so each folder maps directly to an `infisical run --path=` invocation and machine identity scope. ### Pattern A: By Consumer/Service (Recommended) Best for multi-service projects. Each service gets exactly the secrets it needs via `--path`. ``` / (root) → Shared secrets (DATABASE_URL, REDIS_URL) ├── /backend → Backend-only (JWT_SECRET, INTERNAL_API_KEY, SENTRY_DSN) ├── /frontend → Frontend-only (NEXT_PUBLIC_API_URL, NEXT_PUBLIC_STRIPE_KEY) ├── /mobile → Mobile-only (PUSH_NOTIFICATION_KEY, DEEP_LINK_SECRET) └── /ci → CI/CD-only (DEPLOY_KEY, DOCKER_TOKEN, CODECOV_TOKEN) ``` Why this works: - `infisical ru