Rule
Everything available to a public client build is public. Flutter Envied values, generated Dart, mobile artifacts, desktop app bundles, and release resources must never contain server-only secrets.obfuscate: true is not a security boundary. It only changes how a value is
represented in generated code; users can still extract values from shipped apps.
Config Classes
| Class | Ships in public clients? | Examples | Handling |
|---|---|---|---|
| Public client config | Yes | API base URL, non-sensitive flags | Use PUBLIC_ names and allowlist in app/config/client_env_policy.yaml. |
| Restricted public client key | Yes, intentionally | Google Maps SDK key, public analytics ingestion key | Allowlist with owner, purpose, restrictions, and revocation path. Restrict at the vendor by bundle/package/API where possible. |
| Server-only secret | No | OpenAI, Gemini, Anthropic, Deepgram, OAuth client secrets, service accounts, admin keys | Keep in backend secret managers or server runtime only. Never expose to app env or artifacts. |
| Build or publish secret | No | Keystores, provisioning credentials, App Store/Play publishing credentials | Use only in signing/publishing steps. Never copy into app resources. |
Adding App Config
- Add the variable to
app/config/client_env_policy.yaml. - Add a placeholder to
app/.client.env.example. - Add it to
scripts/create-public-client-env.sh. - Add the value to the Codemagic environment group consumed by the app release
workflows (currently
app_env, unless the workflows import a dedicated public config group). - Run:
Release Checks
Public release workflows must run both checks:Provider APIs
Public clients must not use Omi-owned provider credentials directly. Features that need OpenAI, Gemini, Anthropic, Deepgram, or similar providers should use:legacy_direct_provider_domain_exceptions inside
app/config/client_env_policy.yaml. Do not add to that list for new work. New
provider integrations must use backend-owned BYOK storage and a provider proxy.