> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sertifikasitrainer.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets & Cloudflare

> Sinkronkan .env shared ke Cloudflare Worker secrets.

Secret production tidak disimpan di `wrangler.jsonc`. Non-secret config ada di `vars`; secret di-push via Wrangler.

## Alur

```mermaid theme={null}
flowchart LR
  shared[".env shared"] --> merge["thub env merge --prod"]
  prodlocal[".env.production.local"] --> merge
  merge --> apienv["apps/api/.env"]
  apienv --> json["worker-secrets.json"]
  json --> wrangler["wrangler secret bulk"]
```

## Key wajib vs opsional

File `.cloudflare/worker-secrets.keys` mendefinisikan:

**Wajib** (harus terisi sebelum push):

* `BETTER_AUTH_SECRET`
* `DEEPSEEK_API_KEY`
* `AWS_ACCESS_KEY_ID`
* `AWS_SECRET_ACCESS_KEY`

**Opsional** (fitur mati kalau kosong):

* `MUX_*`, `SCALEV_*`, `RESEND_API_KEY`, `SERPAPI_API_KEY`, dll.

```bash theme={null}
./thub secrets check
```

## Perintah

```bash theme={null}
./thub secrets generate   # buat JSON dari env merged
./thub secrets push       # generate + push ke Cloudflare
```

Manual:

```bash theme={null}
SECRETS_FILE=/path/to/secrets.json ./scripts/sync-worker-secrets.sh
```

## Tarik secret dari tim (Doppler / Infisical)

```bash theme={null}
./thub secrets pull
```

Menulis ke `.env` shared, lalu merge dev otomatis.

## Enkripsi .env untuk share via git (dotenvx)

```bash theme={null}
bun add -g @dotenvx/dotenvx
./thub secrets encrypt
```

* `.env` terenkripsi → aman di-commit
* `.env.keys` → **jangan** commit; bagikan lewat channel aman

<Tip>
  Untuk tim kecil, cukup share `.env` lewat password manager atau `thub secrets pull` dari Doppler/Infisical free tier.
</Tip>
