Spanda loads secrets at runtime from environment variables or files. Never hardcode secrets in source.
Individual secrets:
secret signing_key from env "ROVER_PRIVATE_KEY";
secret tls_cert from file "certs/rover.pem";
Block form:
secrets {
rover_private_key from env "ROVER_PRIVATE_KEY";
tls_cert from file "certs/rover.pem";
}
| Source | Syntax | Use case |
|---|---|---|
| Environment | from env "VAR" |
CI, containers, local dev |
| File | from file "path" |
TLS certs, mounted key volumes |
| Literal | from "value" |
Tests only — not for production |
Future: secret-manager backends (Vault, cloud KMS) without changing declaration names.
Reading secrets requires secret.read in robot permissions or package manifest capabilities.
SecretStore — values are never printed in logssecret:<name> redacted labels onlyencryption: requiredspanda security check robot.sd # flags secrets without capability
spanda security audit robot.sd # records secret access patterns
See Secure communication.