[Feature]: Ensure the .env file isn't able to be committed to git by default #268
Description
Feature Description
If possible, it's best to not have the .env file potentially committed to git, even if some parts of it are crucial for cross-developer collaboration and other parts have sensitive data. (Example: The API keys for the various LLM providers vs which models actually get used)
Failure to follow this practice generally results in API keys getting leaked, which has consequences ranging from rate limit annoyances to literal millions of dollars in losses.
Use Case
- How do you guarantee people won't just leave the .env file in Git?
- This is a relatively crucial default, since we don't know how well acquainted people are with application security and secrets management.
Proposed Solution
One way of going about this is loading a .env.example file with any non-sensitive data and then filling the .env as normal, then adding a gitignore entry for .env.
Granted, this may need some caveats in case the project isn't a git repository, in case it's using an alternative VCS, etc.