allisson · allisson · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,46 @@
+# Version control
+.git
+.github
+.gitignore
+
+# Environment and secrets
+.env
+.env.*
+!.env.example
+
+# Documentation (not needed in build)
+*.md
+!README.md
+docs/
+CHANGELOG.md
+LICENSE
+
+# Build artifacts
+bin/
+coverage.out
+*.coverprofile
+*.test
+*.out
+profile.cov
+t.log
+
+# Test and development
+test/
+.ruff_cache/
+docker-compose*.yml
+
+# CI/CD configuration
+.mockery.yaml
+.golangci.yml
+.markdownlint.json
+
+# Editor/IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# OS-specific
+.DS_Store
+Thumbs.db
diff --git a/.env.example b/.env.example
@@ -27,13 +27,36 @@ METRICS_NAMESPACE=secrets
 # Generate a new KMS master key using: ./bin/app create-master-key --kms-provider=<provider> --kms-key-uri=<uri>
 # Rotate master keys using: ./bin/app rotate-master-key --id=<new-key-id>
 #
+# 🔒 SECURITY WARNING: KMS_KEY_URI is HIGHLY SENSITIVE
+# - Controls access to ALL encrypted data in this deployment
+# - NEVER commit KMS_KEY_URI to source control (even private repos)
+# - Store in secrets manager (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault)
+# - Use .env files excluded from git (.env is in .gitignore)
+# - Inject via CI/CD secrets for automated deployments
+# - NEVER use base64key:// provider in staging or production (local development only)
+# - Rotate KMS keys quarterly or per organizational policy
+# - See docs/configuration.md#kms_key_uri for incident response procedures
+#
 # KMS Providers:
-# - localsecrets: Local testing (base64key://<32-byte-base64-key>)
+# - localsecrets: Local testing ONLY (base64key://<32-byte-base64-key>) ❌ DO NOT USE IN PRODUCTION
 # - gcpkms: Google Cloud KMS (gcpkms://projects/<project>/locations/<location>/keyRings/<ring>/cryptoKeys/<key>)
 # - awskms: AWS KMS (awskms:///<key-id> or awskms:///<alias>)
 # - azurekeyvault: Azure Key Vault (azurekeyvault://<vault-name>.vault.azure.net/keys/<key-name>)
 # - hashivault: HashiCorp Vault (hashivault:///<path>)
 #
+# Example KMS Mode Configuration (GCP KMS):
+# KMS_PROVIDER=gcpkms
+# KMS_KEY_URI=gcpkms://projects/my-prod-project/locations/us-central1/keyRings/secrets-keyring/cryptoKeys/master-key
+# MASTER_KEYS=default:ARiEeAASDiXKAxzOQCw2NxQfrHAc33CPP/7SsvuVjVvq1olzRBudplPoXRkquRWUXQ+CnEXi15LACqXuPGszLS+anJUrdn04
+# ACTIVE_MASTER_KEY_ID=default
+#
+# Example KMS Mode Configuration (AWS KMS):
+# KMS_PROVIDER=awskms
+# KMS_KEY_URI=awskms:///alias/secrets-master-key
+# MASTER_KEYS=default:ARiEeAASDiXKAxzOQCw2NxQfrHAc33CPP/7SsvuVjVvq1olzRBudplPoXRkquRWUXQ+CnEXi15LACqXuPGszLS+anJUrdn04
+# ACTIVE_MASTER_KEY_ID=default
+#
+# Example Local Development (localsecrets - INSECURE, DEVELOPMENT ONLY):
 # KMS_PROVIDER=localsecrets
 # KMS_KEY_URI=base64key://smGbjm71Nxd1Ig5FS0wj9SlbzAIrnolCz9bQQ6uAhl4=
 # MASTER_KEYS=default:ARiEeAASDiXKAxzOQCw2NxQfrHAc33CPP/7SsvuVjVvq1olzRBudplPoXRkquRWUXQ+CnEXi15LACqXuPGszLS+anJUrdn04

diff --git a/.github/workflows/docker-push.yml b/.github/workflows/docker-push.yml
@@ -34,6 +34,17 @@ jobs:
         with:
           images: ${{ secrets.DOCKERHUB_USERNAME }}/secrets
 
+      - name: Extract version and build metadata
+        id: version
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            VERSION=${GITHUB_REF#refs/tags/}
+          else
+            VERSION="dev"
+          fi
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
@@ -42,3 +53,9 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ steps.version.outputs.version }}
+            BUILD_DATE=${{ steps.version.outputs.build_date }}
+            COMMIT_SHA=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max