The following files contain sensitive data and are NEVER committed to git:

• .env - Your personal API keys and secrets
• .env.* (except .env.example) - Alternative configurations
• .env.local, .env.backup - Local backups

• *.key, *.pem, *.p12 - Certificate files
• credentials.json - Service account keys
• secrets/, .secrets/ - Secret directories

• .backup/ - Contains archived sensitive files and logs

1. Initial Setup

   cp .env.example .env
   # Edit .env with your API keys

2. Verify Protection

   git check-ignore .env
   # Should output: .env

3. Never Commit

   • Always check git status before committing
   • Ensure .env is not listed in changes
   • Use .env.example for documentation

Choose at least one provider:

• Gemini API: https://makersuite.google.com/app/apikey
• Ollama: Local installation (https://ollama.ai)
• Nebius: https://nebius.com
• HuggingFace: https://huggingface.co/settings/tokens

If you accidentally commit a key:

1. Immediately revoke the exposed key in the provider dashboard
2. Generate a new key
3. Update your .env file
4. Use git filter-branch or BFG Repo-Cleaner to remove from history
5. Force push (coordinate with team first!)

• .env file exists locally
• .env contains valid API key(s)
• .env is listed in .gitignore
• git status does not show .env
• .env.example has no real keys
• .backup/ directory is ignored

Contact the maintainer if you have security concerns.