pikkujs/pikku-config
.claude/skills/pikku-config/SKILL.md
Use when managing secrets, environment variables, config, or OAuth2 credentials in a Pikku app. Covers wireSecret, wireVariable, wireOAuth2Credential, and typed config access. TRIGGER when: code uses wireSecret/wireVariable/wireOAuth2Credential, user asks about env vars, secrets, config, OAuth2, or "how do I access environment variables". DO NOT TRIGGER when: user asks about API versioning/breaking changes (use pikku-versioning), service factories (use pikku-services), or auth middleware (use pikku-security).
$ install --global
skillsauthnpx skillsauth add pikkujs/pikku pikku-configInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 9:50 PM10.3s1 file scanned
SKILL.md
- name:
- pikku-config
- description:
- Use when managing secrets, environment variables, config, or OAuth2 credentials in a Pikku app. Covers wireSecret, wireVariable, wireOAuth2Credential, and typed config access.
- TRIGGER when:
- code uses wireSecret/wireVariable/wireOAuth2Credential, user asks about env vars, secrets, config, OAuth2, or "how do I access environment variables".
- DO NOT TRIGGER when:
- user asks about API versioning/breaking changes (use pikku-versioning), service factories (use pikku-services), or auth middleware (use pikku-security).
Pikku Config, Secrets & OAuth2
Manage secrets, variables, and OAuth2 credentials. Never use process.env in Pikku functions — use typed services instead.
Before You Start
pikku info functions --verbose # See existing functions and their versions
pikku info tags --verbose # Understand project organization
See pikku-concepts for the core mental model.
Secrets & Variables
wireSecret(config)
Declare a secret with a Zod schema for type-safe access:
wireSecret({
name: string, // Secret identifier
schema: ZodSchema, // Shape and validation
})
wireVariable(config)
Declare a variable (non-sensitive config) with a Zod schema:
wireVariable({
name: string,
schema: ZodSchema,
})
Accessing in Functions
// Secrets — encrypted, sensitive values
const config = await services.secrets.getSecretJSON('SECRET_NAME')
// Variables — plain-text configuration
const flags = await services.variables.getVariableJSON('VARIABLE_NAME')
// Simple string access
const apiKey = services.variables.get('API_KEY')
Local Development Services
import { LocalSecretService, LocalVariablesService } from '@pikku/core/services'
const createSingletonServices = pikkuServices(async (config) => ({
secrets: new LocalSecretService(), // Reads from .env or local files
variables: new LocalVariablesService(), // Reads from environment
}))
Usage Patterns
// Declare secrets with typed schemas
wireSecret({
name: 'STRIPE_CONFIG',
schema: z.object({
apiKey: z.string().startsWith('sk_'),
webhookSecret: z.string(),
}),
})
// In your function — fully typed
const config = await secrets.getSecretJSON('STRIPE_CONFIG')
// config.apiKey → string (autocompleted)
// config.webhookSecret → string (autocompleted)
// Declare variables
wireVariable({
name: 'FEATURE_FLAGS',
schema: z.object({
darkMode: z.boolean(),
maxUploadMB: z.number().default(10),
}),
})
// Read it — typed and validated
const flags = await variables.getVariableJSON('FEATURE_FLAGS')
// flags.darkMode → boolean
// flags.maxUploadMB → number
OAuth2 Credentials
wireOAuth2Credential(config)
wireOAuth2Credential({
name: string, // Credential identifier
displayName: string, // Human-readable name
secretId: string, // Secret holding { clientId, clientSecret }
tokenSecretId: string, // Secret for token storage (auto-refreshed)
authorizationUrl: string, // OAuth2 authorization endpoint
tokenUrl: string, // OAuth2 token endpoint
scopes: string[], // Required OAuth2 scopes
})
Usage
wireOAuth2Credential({
name: 'slackOAuth',
displayName: 'Slack OAuth',
secretId: 'SLACK_OAUTH_APP',
tokenSecretId: 'SLACK_OAUTH_TOKENS',
authorizationUrl: 'https://slack.com/oauth/v2/authorize',
tokenUrl: 'https://slack.com/api/oauth.v2.access',
scopes: ['chat:write', 'channels:read'],
})
// In your function — tokens refresh automatically
const response = await slackOAuth.request(
'https://slack.com/api/chat.postMessage',
{
method: 'POST',
body: JSON.stringify({ channel, text }),
}
)
const data = await response.json()
Key Rule
Never use process.env inside Pikku functions. Use the variables or secrets service:
// ❌ Wrong
const apiKey = process.env.API_KEY
// ✅ Correct
const apiKey = services.variables.get('API_KEY')
process.env belongs only in server bootstrap code (start.ts).
Complete Example
// schemas/config.ts
wireSecret({
name: 'DATABASE_CONFIG',
schema: z.object({
connectionString: z.string().url(),
maxPoolSize: z.number().default(10),
}),
})
wireVariable({
name: 'APP_CONFIG',
schema: z.object({
appName: z.string(),
maxUploadSizeMB: z.number().default(10),
maintenanceMode: z.boolean().default(false),
}),
})
wireOAuth2Credential({
name: 'githubOAuth',
displayName: 'GitHub OAuth',
secretId: 'GITHUB_OAUTH_APP',
tokenSecretId: 'GITHUB_OAUTH_TOKENS',
authorizationUrl: 'https://github.com/login/oauth/authorize',
tokenUrl: 'https://github.com/login/oauth/access_token',
scopes: ['read:user', 'repo'],
})
// functions/admin.functions.ts
export const getAppStatus = pikkuSessionlessFunc({
title: 'Get App Status',
func: async ({ variables, secrets }) => {
const appConfig = await variables.getVariableJSON('APP_CONFIG')
return {
appName: appConfig.appName,
maintenanceMode: appConfig.maintenanceMode,
}
},
})
Related Skills
pikkujs/pikku-tag-middleware
documentation
VerifiedTrustedCommunity
Deprecated — use pikku-middleware instead. Tag middleware (addTagMiddleware) is now documented as a section within the pikku-middleware skill, alongside global HTTP middleware, execution order, and the service-to-service bearer auth pattern.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-permissions
testing
VerifiedTrustedCommunity
Use when adding authorization checks to Pikku functions or routes — pikkuPermission, pikkuAuth, per-function permissions, pattern-based permissions, or understanding OR/AND permission logic. TRIGGER when: user wants to restrict who can call a function, check resource ownership, add role-based access, or understand where permission checks belong. DO NOT TRIGGER when: user asks about middleware or request interception (use pikku-middleware), authentication strategies (use pikku-security), or session management.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-middleware
testing
VerifiedTrustedCommunity
Use when adding any middleware to a Pikku app — global HTTP middleware, tag-scoped middleware (including service-to-service bearer auth), per-route middleware, session-setting middleware, or understanding middleware execution order and priority. TRIGGER when: user wants middleware on some or all routes, machine-to-machine auth, tag-scoped cross-cutting concerns, global interceptors, or middleware priority/order questions. DO NOT TRIGGER when: user asks about permissions/authorization checks (use pikku-permissions), auth strategies like authBearer/authCookie (use pikku-security), or deployment.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-template-clone
documentation
VerifiedTrustedCommunity
Standard cleanup to run right after a Pikku template is cloned or scaffolded into a new project. TRIGGER when: a Pikku template was just cloned/scaffolded (via `pikku create`, `git clone <template>`, or the user says "I cloned the kanban template / starter / template"), or the working tree still looks like an untouched template (template README, placeholder `@project/*` name in package.json). DO NOT TRIGGER when: working in an established project mid-feature, or editing the template repo itself.
56SKILL.mdUpdated Jun 4, 2026