credentials are scoped per agent under src/bernstein/core/credential_scoping.py: each spawned worker gets only the env vars it declares it needs, never the orchestrator's full environment. for long-lived credentials, bernstein connect <provider> writes to the os keychain (macOS keychain, gnome-keyring, kdewallet) and every subsequent run reads from there, so api keys never live in the repo. pii gating in src/bernstein/core/security/ keeps flagged files out of agent context. the orchestrator never persists keys to .sdd/. bring-your-own-key model: bernstein adds no signup and stores no provider credentials on its side.
canonical answer