anima-security-basics

# Anima Security Basics ## Security Checklist - [ ] Anima token stored in secret manager (not .env in prod) - [ ] Figma PAT has minimum required scope (file:read only) - [ ] SDK runs server-side only (never ship tokens to browser) - [ ] `.env` files gitignored and chmod 600 - [ ] CI secrets stored in GitHub Secrets, not workflow files - [ ] Generated code reviewed before committing (no embedded tokens) ## Instructions ### Step 1: Figma Token Scope Restriction ```bash # When creating a Figma Personal Access Token: # - Give it the MINIMUM scope needed: File Content (read-only) # - Do NOT grant write access unless you need Figma plugin features # - Set an expiration date (90 days recommended) # - Create separate tokens for dev vs CI environments ``` ### Step 2: Server-Side Only Enforcement ```typescript // src/anima/safety.ts // Anima SDK is designed for server-side use only function validateEnvironment(): void { if (typeof window !== 'undefined') { throw new Error('Anima SDK must run server-side only — never import in browser code'); } if (!process.env.ANIMA_TOKEN) throw new Error('ANIMA_TOKEN not set'); if (!process.env.FIGMA_TOKEN) throw new Error('FIGMA_TOKEN not set'); } // Call this at startup validateEnvironment(); ``` ### Step 3: Secret Manager Integration ```typescript // src/anima/secrets.ts async function loadAnimaSecrets(): Promise<{ animaToken: string; figmaToken: string }> { const { SecretManagerServiceClient } = await import('@google-cloud...