• Never commit secrets (API keys, tokens, passwords, private keys).
• Secrets must live in local .env files:
  • backend/.env
  • frontend/.env
• Only commit the templates:
  • backend/.env.example
  • frontend/.env.example

This repo ignores common secret files, including:

• .env, .env.*
• *.key, *.pem

1. Assume it is compromised.
2. Rotate/revoke it immediately in the provider dashboard.
3. Rewrite git history if it was committed (force-push only if you understand the impact).