ALL API KEYS AND CREDENTIALS MUST BE REMOVED BEFORE PUSHING TO GITHUB
The following files and patterns contain API keys or credentials and should NEVER be committed to GitHub:
-
Credential Files:
PERSONALAI_CREDENTIALS_FOR_CHELASX.txt- Contains PersonalAI API key- Any file matching
*CREDENTIALS*.txtor*credentials*.txt - Any file matching
*API_KEY*.txtor*api_key*.txt
-
User API Keys:
backend/users/*/api_keys.json- User-specific API keys stored per userbackend/users_data/*/api_keys.json- Additional user data API keys
-
Environment Files:
.env- Environment variables (already in .gitignore).env.local- Local environment variables (already in .gitignore)
ALWAYS CHECK:
- ✅ Review all files in
git statusbefore committing - ✅ Ensure
.gitignoreincludes all credential file patterns - ✅ Verify no API keys are hardcoded in source files
- ✅ Remove or redact any API keys from documentation files
- ✅ Use environment variables or secure vaults for API keys in production
- PersonalAI API Key: Stored in
PERSONALAI_CREDENTIALS_FOR_CHELASX.txt(should be in .gitignore) - User API Keys: Stored in
backend/users/{username}/api_keys.json(should be in .gitignore) - Cursor API Key: Used in frontend but should be stored securely, not hardcoded
- Never commit API keys directly in code
- Use environment variables for API keys in production
- Add credential files to .gitignore immediately
- Review git history if you accidentally committed keys (use
git filter-branchor BFG Repo-Cleaner to remove) - Rotate API keys if they were ever exposed in git history
If API keys were committed to git:
- Immediately rotate the exposed keys on the service provider
- Remove from git history using:
git filter-branch --force --index-filter \ "git rm --cached --ignore-unmatch PATH_TO_FILE" \ --prune-empty --tag-name-filter cat -- --all - Force push (coordinate with team first):
git push origin --force --all
Remember: Once API keys are in git history, they are potentially exposed forever. Always rotate keys that were committed, even if you remove them later.