i usually use subshells and a project specific shell script to not have variables linger around in long-lived shell processes: ` ( . ./credentials && PW="$CRED_PW" ./the_thing ) ` so credentials can be retrieved via pass or whatever mechanism provides them.

related: https://news.ycombinator.com/item?id=43721228