+++
title = "Document secrets management — Cloudflare API token, account ID, how to supply to OpenTofu and local dev"
priority = 6
status = "todo"
ticket_type = "task"
dependencies = ["25c413", "2d1371"]
+++

<context>
Infrastructure is managed with OpenTofu using the Cloudflare provider. Configuration lives in `infra/`. Resources include a Cloudflare Worker (API), Cloudflare D1 database (bound to the worker), and a Cloudflare Pages project (UI frontend).
</context>

<goal>
Write documentation in `infra/README.md` or `docs/SECRETS.md` covering:
1. What secrets/credentials are required (Cloudflare API token, account ID)
2. How to provide them for local OpenTofu runs (environment variables or `.env` file — never commit)
3. How to provide them in CI/CD (GitHub Actions secrets or equivalent)
4. What permissions the Cloudflare API token needs (Workers, D1, Pages, DNS)
</goal>

<constraints>
- Do not commit any actual secrets or tokens — document the variable names only.
- Cross-reference the `.gitignore` for infra secrets files.
</constraints>

<commit>
`docs(quotesdb): document secrets management for Cloudflare credentials`
</commit>