diff --git a/OPENCLAW_TRICKS.md b/OPENCLAW_TRICKS.md
index f8fecb6..9c1188d 100644
--- a/OPENCLAW_TRICKS.md
+++ b/OPENCLAW_TRICKS.md
@@ -451,6 +451,14 @@ just direct commits to main. It's a state mirror, not a development workflow.
 `~/repos/` or a fast external drive) to avoid embedding git repos inside the
 workspace repo. The workspace repo tracks workspace files only.
 
+**A deliberate policy exception:** The workspace repo violates one of the most
+important repo policies — "never commit secrets." The workspace contains API
+keys, tokens, and credentials in files like TOOLS.md because those are part of
+the agent's operational state. This is an accepted exception because the repo is
+permanently private and serves as a backup/DR system, not a development repo. If
+your workspace state repo were ever to become public, it would be a catastrophic
+leak. Treat it accordingly: private visibility, restricted access, no forks.
+
 ### Putting It All Together
 
 The system works as a loop: