This is a portfolio MVP, not a hardened production SaaS.

• No secrets are required to build or run the demo.
• GEMINI_API_KEY is optional and must stay in .env.local or the deployment provider.
• Local SQLite databases are ignored by git.
• OAuth has been removed from the demo flow to avoid incomplete auth setup.

• Add real authentication and authorization.
• Move lead data to managed Postgres.
• Add rate limiting, bot protection, and duplicate/abuse controls to public opt-in forms.
• Encrypt or minimize any sensitive lead metadata.
• Review CSV export permissions before enabling multi-user accounts.
• Add monitoring for API errors and suspicious form submissions.