{"id":33326762,"url":"https://github.com/gsmlg-dev/secrethub","last_synced_at":"2026-01-08T15:18:54.621Z","repository":{"id":319873109,"uuid":"1079878661","full_name":"gsmlg-dev/secrethub","owner":"gsmlg-dev","description":null,"archived":false,"fork":false,"pushed_at":"2025-11-20T05:04:46.000Z","size":1050,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-20T11:03:49.565Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Elixir","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gsmlg-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security/authentication_flows_review.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-10-20T14:23:13.000Z","updated_at":"2025-10-26T16:39:24.000Z","dependencies_parsed_at":"2025-10-20T17:42:18.424Z","dependency_job_id":null,"html_url":"https://github.com/gsmlg-dev/secrethub","commit_stats":null,"previous_names":["gsmlg-dev/secrethub"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/gsmlg-dev/secrethub","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsmlg-dev%2Fsecrethub","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsmlg-dev%2Fsecrethub/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsmlg-dev%2Fsecrethub/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsmlg-dev%2Fsecrethub/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gsmlg-dev","download_url":"https://codeload.github.com/gsmlg-dev/secrethub/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gsmlg-dev%2Fsecrethub/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":285422073,"owners_count":27168929,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-20T02:00:05.334Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-11-20T11:03:51.713Z","updated_at":"2026-01-08T15:18:54.595Z","avatar_url":"https://github.com/gsmlg-dev.png","language":"Elixir","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SecretHub\n\n\u003e Enterprise-grade Machine-to-Machine secrets management platform\n\n**Status:** 🚀 v1.0.0-rc3 Released\n\n---\n\n## 🎯 Project Overview\n\nSecretHub is a secure, reliable, and highly automated secrets management platform designed specifically for Machine-to-Machine (M2M) communication. Built in Elixir with a HashiCorp Vault-like architecture, it eliminates hardcoded credentials through centralized management, dynamic generation, and automatic rotation.\n\n### Core Features\n\n| Feature | Description |\n|---------|-------------|\n| 🔐 **mTLS Everywhere** | Mutual TLS for all Core-Agent communications with PKI-issued certificates |\n| 🔑 **Dynamic Secrets** | Short-lived credentials for PostgreSQL, Redis, and AWS STS |\n| 🔄 **Automatic Rotation** | Oban-scheduled zero-downtime secret rotation |\n| 📝 **Template Rendering** | EEx-based secret injection into configuration files |\n| 📊 **Tamper-Proof Audit** | SHA-256 hash-chained logs with HMAC signatures |\n| 🛡️ **Vault Seal/Unseal** | Shamir's Secret Sharing for master key protection |\n| ⚡ **High Availability** | Multi-node deployment with distributed locking |\n| 🔓 **Auto-Unseal** | AWS KMS, Azure Key Vault, GCP KMS integrations |\n| 🚨 **Anomaly Detection** | Real-time security anomaly detection and alerting |\n| 📋 **Policy Templates** | Pre-built policy templates for common use cases |\n\n---\n\n## 🏗️ Architecture\n\nSecretHub implements a **two-tier architecture** with a central Core service and distributed Agents:\n\n```\n┌─────────────────────────────────────────────────────────────────────┐\n│                        SecretHub Core                                │\n│  ┌───────────┐  ┌───────────┐  ┌───────────┐  ┌───────────┐       │\n│  │    PKI    │  │  Policy   │  │  Secret   │  │   Audit   │       │\n│  │  Engine   │  │  Engine   │  │  Engines  │  │  Logger   │       │\n│  │           │  │           │  │           │  │           │       │\n│  │ • Root CA │  │ • JSONB   │  │ • Static  │  │ • Hash    │       │\n│  │ • Int. CA │  │ • Glob    │  │ • Dynamic │  │   Chain   │       │\n│  │ • CSR     │  │   Match   │  │ • Leases  │  │ • HMAC    │       │\n│  └───────────┘  └───────────┘  └───────────┘  └───────────┘       │\n│                                                                      │\n│  ┌───────────┐  ┌───────────┐  ┌───────────┐  ┌───────────┐       │\n│  │  AppRole  │  │   Vault   │  │  Anomaly  │  │   Apps    │       │\n│  │   Auth    │  │ Seal/     │  │ Detection │  │  Manager  │       │\n│  │           │  │ Unseal    │  │           │  │           │       │\n│  └───────────┘  └───────────┘  └───────────┘  └───────────┘       │\n│                                                                      │\n│              REST API + WebSocket + LiveView Admin                  │\n└─────────────────────────────────────────────────────────────────────┘\n                              ↕ mTLS WebSocket\n┌─────────────────────────────────────────────────────────────────────┐\n│                       SecretHub Agent                                │\n│  ┌───────────┐  ┌───────────┐  ┌───────────┐  ┌───────────┐       │\n│  │ Bootstrap │  │Connection │  │   Cache   │  │  Sinker   │       │\n│  │           │  │  Manager  │  │   Layer   │  │           │       │\n│  │ • AppRole │  │           │  │           │  │ • Atomic  │       │\n│  │ • CSR Gen │  │ • Reconn  │  │ • TTL     │  │   Write   │       │\n│  │ • Cert    │  │ • Backoff │  │ • LRU     │  │ • Reload  │       │\n│  └───────────┘  └───────────┘  └───────────┘  └───────────┘       │\n│                                                                      │\n│  ┌───────────┐  ┌───────────┐  ┌───────────────────────────┐       │\n│  │ Template  │  │  Lease    │  │   Unix Domain Socket API   │       │\n│  │ Renderer  │  │ Renewer   │  │   (for local applications) │       │\n│  └───────────┘  └───────────┘  └───────────────────────────┘       │\n└─────────────────────────────────────────────────────────────────────┘\n                              ↕ UDS + mTLS\n                    ┌──────────────────────┐\n                    │    Applications      │\n                    └──────────────────────┘\n```\n\n### Agent Lifecycle\n\n1. **Bootstrap Phase**: AppRole auth → RSA-2048 keypair generation → CSR → Certificate issuance\n2. **Operational Phase**: mTLS WebSocket to Core → Secret requests → Local caching\n3. **Delivery Phase**: EEx template rendering → Atomic file writes → Application reload triggers\n4. **Local Access**: Unix Domain Socket API for application secret retrieval\n\n---\n\n## 🔒 Security Architecture\n\n### Encryption\n\n| Layer | Algorithm | Details |\n|-------|-----------|---------|\n| At Rest | AES-256-GCM | Per-secret nonces, 128-bit auth tags |\n| Master Key | Shamir's Secret Sharing | Configurable N shares, K threshold |\n| Key Derivation | PBKDF2-SHA256 | 100,000 iterations |\n\n### Authentication Flow\n\n```\n┌─────────────┐     RoleID/SecretID      ┌─────────────┐\n│   Agent     │ ─────────────────────────▶│    Core     │\n│  Bootstrap  │                           │   AppRole   │\n└─────────────┘                           └─────────────┘\n       │                                         │\n       │              CSR Request                │\n       │ ◀───────────────────────────────────────│\n       │                                         │\n       │           Signed Certificate            │\n       │ ────────────────────────────────────────▶\n       │                                         │\n       ▼                                         ▼\n┌─────────────┐      mTLS WebSocket      ┌─────────────┐\n│   Agent     │ ◀═══════════════════════▶│    Core     │\n│   Running   │                           │   Running   │\n└─────────────┘                           └─────────────┘\n```\n\n### PKI Hierarchy\n\n- **Root CA**: Self-signed, RSA-4096 or ECDSA P-384\n- **Intermediate CA**: Root-signed, issues client certificates\n- **Client Certificates**: 1-year validity, auto-renewal 7 days before expiry\n\n---\n\n## 🔑 Secret Engines\n\n### Static Secrets\n- Encrypted storage with versioning\n- Oban-scheduled rotation\n- Template rendering support\n\n### Dynamic Secrets\n\n| Engine | Description | Lease Management |\n|--------|-------------|------------------|\n| **PostgreSQL** | Temporary users with `VALID UNTIL`, custom SQL templates | Auto-revocation |\n| **Redis** | Dynamic ACL-based credentials | Auto-revocation |\n| **AWS STS** | Temporary IAM credentials via AssumeRole | TTL-based |\n\n---\n\n## 🚀 Quick Start\n\n### Prerequisites\n\n- **devenv:** [Install from devenv.sh](https://devenv.sh/getting-started/)\n- **direnv (optional):** [Install from direnv.net](https://direnv.net/)\n\n### Installation\n\n```bash\n# Clone the repository\ngit clone https://github.com/gsmlg-dev/secrethub.git\ncd secrethub\n\n# Activate devenv (or use direnv allow)\ndevenv shell\n\n# Set up the database\ndb-setup\n\n# Start the development server\nserver\n```\n\n**Available at:**\n- **Web UI / Admin Dashboard:** http://localhost:4000/admin\n- **REST API:** http://localhost:4000/v1\n- **Metrics:** http://localhost:9090 (Prometheus)\n\n### Quick Commands\n\n```bash\n# Database\ndb-setup        # Create and migrate database\ndb-reset        # Reset database (drop, create, migrate, seed)\n\n# Development\nserver          # Start Phoenix server\nconsole         # Start IEx shell with app loaded\n\n# Testing\nmix test                    # Run all tests\nmix coveralls.html          # Generate coverage report\n\n# Code Quality\nquality         # Run format, credo, dialyzer\n```\n\n---\n\n## 📁 Project Structure\n\n```\nsecrethub/                              # Elixir Umbrella Application\n├── apps/\n│   ├── secrethub_core/                 # Core Business Logic\n│   │   └── lib/secrethub_core/\n│   │       ├── auth/app_role.ex        # AppRole authentication\n│   │       ├── pki/ca.ex               # PKI/CA management\n│   │       ├── policies.ex             # Policy engine\n│   │       ├── policy_templates.ex     # Pre-built policy templates\n│   │       ├── apps.ex                 # Application management\n│   │       ├── audit.ex                # Hash-chained audit logs\n│   │       ├── vault/seal_state.ex     # Seal/unseal with Shamir\n│   │       ├── engines/dynamic/        # PostgreSQL, Redis, AWS STS\n│   │       ├── auto_unseal/providers/  # AWS KMS, Azure KV, GCP KMS\n│   │       ├── anomaly_detection.ex    # Security anomaly detection\n│   │       ├── alerting.ex             # Multi-channel alerting\n│   │       ├── lease_manager.ex        # Lease lifecycle\n│   │       └── rotation_manager.ex     # Oban-scheduled rotation\n│   │\n│   ├── secrethub_web/                  # Phoenix Web Layer\n│   │   └── lib/secrethub_web_web/\n│   │       ├── controllers/            # REST API endpoints\n│   │       ├── live/admin/             # LiveView admin dashboard\n│   │       ├── channels/               # Agent WebSocket channels\n│   │       └── plugs/                  # Rate limiter, mTLS verification\n│   │\n│   ├── secrethub_agent/                # Distributed Agent Daemon\n│   │   └── lib/secrethub_agent/\n│   │       ├── bootstrap.ex            # AppRole → Certificate flow\n│   │       ├── connection.ex           # WebSocket client with reconnect\n│   │       ├── cache.ex                # TTL + LRU secret cache\n│   │       ├── sinker.ex               # Atomic file writer\n│   │       ├── template_renderer.ex    # EEx template engine\n│   │       ├── uds_server.ex           # Unix Domain Socket API\n│   │       └── lease_renewer.ex        # Auto lease renewal\n│   │\n│   └── secrethub_shared/               # Shared Code\n│       └── lib/secrethub_shared/\n│           ├── schemas/                # 20+ Ecto schemas\n│           └── crypto/                 # AES-256-GCM, Shamir\n│\n├── config/                             # Environment configs\n├── infrastructure/                     # IaC\n│   ├── helm/                           # Helm charts\n│   ├── kubernetes/                     # K8s manifests\n│   └── prometheus/                     # Prometheus configs\n└── .github/workflows/                  # CI/CD pipelines\n```\n\n---\n\n## 🌐 API Reference\n\n### System Endpoints (`/v1/sys`)\n\n| Endpoint | Method | Description |\n|----------|--------|-------------|\n| `/v1/sys/init` | POST | Initialize vault with Shamir shares |\n| `/v1/sys/seal` | POST | Seal the vault |\n| `/v1/sys/unseal` | POST | Unseal vault with key shares |\n| `/v1/sys/seal-status` | GET | Get vault seal status |\n| `/v1/sys/health` | GET | Health check |\n| `/v1/sys/health/ready` | GET | Kubernetes readiness probe |\n| `/v1/sys/health/live` | GET | Kubernetes liveness probe |\n\n### Authentication (`/v1/auth`)\n\n| Endpoint | Method | Description |\n|----------|--------|-------------|\n| `/v1/auth/approle/login` | POST | AppRole login |\n| `/v1/auth/approle/role` | GET | List all roles |\n| `/v1/auth/approle/role/:role_name` | POST | Create AppRole |\n| `/v1/auth/approle/role/:role_name` | DELETE | Delete AppRole |\n| `/v1/auth/approle/role/:role_name/role-id` | GET | Get Role ID |\n| `/v1/auth/approle/role/:role_name/secret-id` | POST | Generate Secret ID |\n\n### Secrets (`/v1/secrets`)\n\n| Endpoint | Method | Description |\n|----------|--------|-------------|\n| `/v1/secrets/:path` | GET | Read secret |\n| `/v1/secrets/:path` | POST | Write secret |\n| `/v1/secrets/:path` | DELETE | Delete secret |\n| `/v1/secrets/dynamic/postgresql/creds/:role` | POST | Generate PostgreSQL credentials |\n| `/v1/secrets/dynamic/redis/creds/:role` | POST | Generate Redis credentials |\n| `/v1/secrets/dynamic/aws/creds/:role` | POST | Generate AWS STS credentials |\n\n### PKI (`/v1/pki`)\n\n| Endpoint | Method | Description |\n|----------|--------|-------------|\n| `/v1/pki/ca/root/generate` | POST | Generate Root CA |\n| `/v1/pki/ca/intermediate/generate` | POST | Generate Intermediate CA |\n| `/v1/pki/issue` | POST | Issue certificate |\n| `/v1/pki/sign-request` | POST | Sign a CSR |\n| `/v1/pki/certificates` | GET | List certificates |\n| `/v1/pki/certificates/:id` | GET | Get certificate details |\n| `/v1/pki/certificates/:id/revoke` | POST | Revoke certificate |\n| `/v1/pki/app/issue` | POST | Issue app certificate (bootstrap) |\n| `/v1/pki/app/renew` | POST | Renew app certificate |\n\n### Applications (`/v1/apps`)\n\n| Endpoint | Method | Description |\n|----------|--------|-------------|\n| `/v1/apps` | GET | List applications |\n| `/v1/apps` | POST | Register application |\n| `/v1/apps/:id` | GET | Get application details |\n| `/v1/apps/:id` | PUT | Update application |\n| `/v1/apps/:id` | DELETE | Delete application |\n| `/v1/apps/:id/suspend` | POST | Suspend application |\n| `/v1/apps/:id/activate` | POST | Activate application |\n| `/v1/apps/:id/certificates` | GET | List app certificates |\n\n### Leases (`/v1/sys/leases`)\n\n| Endpoint | Method | Description |\n|----------|--------|-------------|\n| `/v1/sys/leases` | GET | List active leases |\n| `/v1/sys/leases/stats` | GET | Get lease statistics |\n| `/v1/sys/leases/renew` | POST | Renew a lease |\n| `/v1/sys/leases/revoke` | POST | Revoke a lease |\n\n---\n\n## 🖥️ Admin Dashboard\n\nThe LiveView-based admin dashboard (`/admin`) provides:\n\n### Core Management\n- **Dashboard**: System overview, health metrics, quick stats\n- **Secrets**: Secret browser, version history, bulk operations\n- **Policies**: Policy editor, entity bindings, simulator\n- **Policy Templates**: Pre-built templates for common scenarios\n\n### Security \u0026 PKI\n- **PKI**: Root/Intermediate CA management, certificate issuance\n- **Certificates**: Certificate browser, revocation, renewal\n- **AppRoles**: Role management, secret ID rotation\n\n### Infrastructure\n- **Agents**: Connected agents, status monitoring, health checks\n- **Dynamic Engines**: PostgreSQL/Redis engine configuration\n- **Engine Health**: Real-time engine status dashboard\n- **Leases**: Active lease management, bulk revocation\n\n### Operations\n- **Audit**: Log viewer, search, CSV export\n- **Rotations**: Rotation schedules, history, manual triggers\n- **Templates**: Secret template management\n\n### Cluster \u0026 Monitoring\n- **Cluster**: Node health, distributed state, deployment status\n- **Auto-Unseal**: KMS provider configuration\n- **Alerts**: Alert rules, notification channels\n- **Anomalies**: Anomaly detection rules, triggered alerts\n- **Performance**: Performance metrics dashboard\n\n---\n\n## 🚨 Anomaly Detection\n\nSecretHub includes a built-in anomaly detection engine with rules for:\n\n| Rule Type | Description |\n|-----------|-------------|\n| Failed Logins | Detect brute-force authentication attempts |\n| Bulk Deletion | Alert on mass secret deletion |\n| Unusual Access Time | Detect access outside business hours |\n| Mass Secret Access | Alert on abnormal secret read patterns |\n| Credential Export Spike | Detect unusual credential generation |\n| Rotation Failures | Alert on failed secret rotations |\n| Policy Violations | Detect policy bypass attempts |\n\n### Alert Channels\n\n- Email notifications\n- Slack webhooks\n- Generic webhooks\n- PagerDuty integration\n- Opsgenie integration\n\n---\n\n## 📋 Policy Templates\n\nPre-built policy templates for common scenarios:\n\n| Template | Description |\n|----------|-------------|\n| `business_hours` | Access restricted to business hours (9-5) |\n| `ip_restricted` | Access limited to specific IP ranges |\n| `read_only` | Read-only access to secrets |\n| `emergency_access` | Break-glass emergency access |\n| `dev_environment` | Development environment access |\n| `production_readonly` | Production read-only access |\n| `time_limited` | Time-limited access with expiration |\n| `multi_region` | Multi-region access policies |\n\n---\n\n## 🚢 Deployment\n\n### Release Artifacts\n\n| Release | Includes |\n|---------|----------|\n| `secrethub_core` | Core + Web + Shared |\n| `secrethub_agent` | Agent + Shared |\n\n### Docker Images\n\n```bash\n# Core Service\ndocker run -d -p 4000:4000 \\\n  -e DATABASE_URL=\"postgresql://...\" \\\n  -e SECRET_KEY_BASE=\"...\" \\\n  ghcr.io/gsmlg-dev/secrethub/core:v1.0.0-rc3\n\n# Agent\ndocker run -d \\\n  -e SECRETHUB_CORE_URL=\"wss://core:4000\" \\\n  -e SECRETHUB_ROLE_ID=\"...\" \\\n  -e SECRETHUB_SECRET_ID=\"...\" \\\n  ghcr.io/gsmlg-dev/secrethub/agent:v1.0.0-rc3\n```\n\n### Kubernetes (Helm)\n\n```bash\nhelm install secrethub ./infrastructure/helm/secrethub \\\n  --set core.database.url=\"postgresql://...\" \\\n  --set core.secretKeyBase=\"...\"\n```\n\n### Environment Variables\n\n```bash\n# Core Service\nDATABASE_URL=postgresql://user:pass@host/db  # Or with socket: ?host=/var/run/postgresql\nSECRET_KEY_BASE=\u003c64-char-hex\u003e\nPHX_HOST=secrethub.example.com\nPOOL_SIZE=10\n\n# Agent\nSECRETHUB_CORE_URL=wss://core.example.com:4000\nSECRETHUB_ROLE_ID=\u003crole-id\u003e\nSECRETHUB_SECRET_ID=\u003csecret-id\u003e\n```\n\n---\n\n## 🧪 Development Status\n\n### ✅ Completed Features\n\n- [x] Umbrella project structure with 4 apps\n- [x] PostgreSQL 16 with UUID, pgcrypto extensions (Unix socket support)\n- [x] AppRole authentication (RoleID/SecretID)\n- [x] Full PKI engine (Root CA, Intermediate CA, CSR)\n- [x] Vault seal/unseal with Shamir's Secret Sharing\n- [x] Policy engine with glob patterns and conditions\n- [x] Policy templates for common scenarios\n- [x] Tamper-evident audit logging (hash chains + HMAC)\n- [x] Dynamic secret engines (PostgreSQL, Redis, AWS STS)\n- [x] Auto-unseal providers (AWS KMS, Azure Key Vault, GCP KMS)\n- [x] Agent bootstrap and mTLS WebSocket connection\n- [x] Secret caching with TTL and LRU eviction\n- [x] Template rendering and atomic file writes\n- [x] Lease management with auto-renewal\n- [x] Oban-scheduled secret rotation\n- [x] Application management system\n- [x] Anomaly detection engine\n- [x] Multi-channel alerting (Email, Slack, PagerDuty, Opsgenie)\n- [x] LiveView admin dashboard (20+ pages)\n- [x] CI/CD with GitHub Actions\n- [x] Multi-arch Docker images (amd64/arm64)\n- [x] Helm charts for Kubernetes deployment\n\n---\n\n## 📝 Contributing\n\n### Commit Convention\n\n```\ntype(scope): subject\n\nTypes: feat, fix, docs, style, refactor, test, chore\n```\n\n**Example:**\n```\nfeat(core): implement AWS STS dynamic secret engine\n\n- Add AssumeRole credential generation\n- Implement lease management\n- Add integration tests\n```\n\n---\n\n## 📄 License\n\nMIT License\n\n---\n\n## 🔗 Links\n\n- **Repository:** https://github.com/gsmlg-dev/secrethub\n- **Latest Release:** [v1.0.0-rc3](https://github.com/gsmlg-dev/secrethub/releases/tag/v1.0.0-rc3)\n- **Docker Images:** `ghcr.io/gsmlg-dev/secrethub/core` | `ghcr.io/gsmlg-dev/secrethub/agent`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgsmlg-dev%2Fsecrethub","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgsmlg-dev%2Fsecrethub","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgsmlg-dev%2Fsecrethub/lists"}