Expand description
Registry-backed secret store for production credentials.
Windows services run as LocalSystem and inherit Machine-scope env vars, but those vars are readable by any logged-in user. Storing the credential under HKLM with a hardened ACL (SYSTEM + Administrators only) keeps it out of low-privilege reach.
Layout in use across kanade:
HKLM\SOFTWARE\kanade\
agent\
NatsToken — shared NATS bearer token (agent + backend + CLI)
backend\
StaticToken — KANADE_AUTH_STATIC_TOKEN counterpart
JwtSecret — KANADE_JWT_SECRET counterpartdeploy-agent.ps1 / deploy-backend.ps1 provision these keys and
apply the ACL. Non-Windows builds get an empty stub so the
workspace still cross-compiles for the CLI’s Linux / macOS release
artifacts.