Summary
The agent setup checklist (docs/agents/ROCKETRIDE_README.md:46-48) has coding agents write ROCKETRIDE_APIKEY into .env, create an env.example, and open .env in an editor tab. Nothing in the doc set mentions adding .env to .gitignore, and the extension's gitignore scaffolding only adds .rocketride/ (apps/vscode/src/agents/agent-manager.ts:49, ensureGitignore at 309-331; the new docs-sync.ts in #1034 hardcodes the same single entry).
Impact
Not a vulnerability, just a gap: a fresh project holds a real API key in .env while the auto-generated .gitignore doesn't cover it. The tool already edits .gitignore, so closing this is one line.
Fix
Severity: Low (hardening). Related: #1186, #624 (closed, so there's currently no secret-scanning net), #1105.
Related: #1200 (the same checklist lines also describe removed extension behavior).
Summary
The agent setup checklist (
docs/agents/ROCKETRIDE_README.md:46-48) has coding agents writeROCKETRIDE_APIKEYinto.env, create anenv.example, and open.envin an editor tab. Nothing in the doc set mentions adding.envto.gitignore, and the extension's gitignore scaffolding only adds.rocketride/(apps/vscode/src/agents/agent-manager.ts:49,ensureGitignoreat 309-331; the newdocs-sync.tsin #1034 hardcodes the same single entry).Impact
Not a vulnerability, just a gap: a fresh project holds a real API key in
.envwhile the auto-generated.gitignoredoesn't cover it. The tool already edits.gitignore, so closing this is one line.Fix
.envto theensureGitignoreentries (and the agents-core copy in feat/RR-1024-cli-rocketride-init #1034/refactor(vscode): consume @rocketride/agents-core (RR-1024 P3) — stacked on #1034 #1110)..envis gitignored and only the example file gets committed.env.exampleshould be.env.example(README:47,COMPONENT_REFERENCE.md:435), and verifying variable names beats opening.envas a visible tab.Severity: Low (hardening). Related: #1186, #624 (closed, so there's currently no secret-scanning net), #1105.
Related: #1200 (the same checklist lines also describe removed extension behavior).