---
name: new-credential
description: Create a new bash.d credential file with .example template, .gitignore entry, and correct permissions
user-invocable: true
disable-model-invocation: true
arguments:
  - name: name
    description: "Short name for the credential (e.g. 'openai', 'stripe')"
    required: true
  - name: var
    description: "Environment variable name to export (e.g. 'OPENAI_API_KEY')"
    required: true
---

Create a new credential file pair in ~/.bash.d/ following the project conventions.

## Steps

1. **Create the `.example` template** at `99-$name.example` (mode 644):
   ```bash
   # shellcheck shell=bash
   # <Description of what this credential is for>
   # Copy to 99-$name and fill in your token, then: chmod 700 99-$name
   require_private "${BASH_SOURCE[0]}"
   export $var=your-token-here
   ```

2. **Create the real credential file** at `99-$name` (mode 700):
   ```bash
   # shellcheck shell=bash
   # NOTE: Contains credentials - ensure file permissions remain 600/700
   require_private "${BASH_SOURCE[0]}"
   export $var=your-token-here
   ```

3. **Add `99-$name` to `.gitignore`** (append to the existing credential list)

4. **Set permissions**: `chmod 700 99-$name`

5. **Validate both files**: `shellcheck 99-$name.example 99-$name`

6. **Remind the user** to edit `99-$name` and fill in the real secret value

## Rules

- The `.example` template must NOT contain real secrets — use `your-token-here` as placeholder
- The real credential file must have mode `700`
- Both files must start with `# shellcheck shell=bash`
- Both files must call `require_private "${BASH_SOURCE[0]}"` as the first functional line
- Only the `.example` file should be staged in git — verify `99-$name` is gitignored