SecretCarousel + Windsurf

Add to your .env

SC_BASE_URL=https://secretcarousel.com
SC_API_KEY=sc_free_your_key_here

No key yet? Run: npx secretcarousel signup --tenant my-project

Add to your .windsurfrules

Paste this into your project's .windsurfrules file.

# SecretCarousel Integration

This project uses SecretCarousel for encrypted secret management.
API base: ${SC_BASE_URL}. Auth: X-API-Key header with ${SC_API_KEY}.
EVERY request MUST include: -H "X-API-Key: ${SC_API_KEY}" -H "Content-Type: application/json"

## Storing secrets
POST ${SC_BASE_URL}/api/v1/secrets with: {name, value, secretType}.
Encrypted AES-256-GCM at rest. Response includes secretId.

## Retrieving secrets
GET ${SC_BASE_URL}/api/v1/secrets/:secretId - decrypts and returns value.
GET ${SC_BASE_URL}/api/v1/secrets - list all (metadata only).

## Updating secrets
PUT ${SC_BASE_URL}/api/v1/secrets/:secretId with: {value:"new-value"}.
Auto-creates new version.

## Sharing (Pro plan)
POST ${SC_BASE_URL}/api/v1/shares with: {secretId, expirationHours, maxUses}.

## Rotation (Pro plan)
POST ${SC_BASE_URL}/api/v1/rotation with: {secretId, schedule}.
POST ${SC_BASE_URL}/api/v1/rotation/:id/rotate-now for immediate.

## Audit
GET ${SC_BASE_URL}/api/v1/audit - every operation logged.

## Key patterns
- Secret IDs: secret-uuid (auto-generated)
- Auth: X-API-Key header on every request
- Encryption: AES-256-GCM, unique key per secret
- Versioning: auto-version on every PUT

Use it

# Store a credential
"Store our production database URL in SecretCarousel"

# Retrieve for deployment
"Get the DATABASE_URL secret"

# Rotate after incident
"Rotate all API keys created before yesterday"