Anima Security Basics Security Checklist - [ ] Anima token stored in secret manager (not .env in prod) - [ ] Figma PAT has minimum required scope (file:read only) - [ ] SDK runs server-side only (never ship tokens to browser) - [ ] files gitignored and chmod 600 - [ ] CI secrets stored in GitHub Secrets, not workflow files - [ ] Generated code reviewed before committing (no embedded tokens) Instructions Step 1: Figma Token Scope Restriction Step 2: Server-Side Only Enforcement Step 3: Secret Manager Integration Output - Figma token with minimal scope (read-only) - Server-side enforcement prev…