# 🔐 Python Fundamentals — 08 Environment & Secrets

Applications often need configuration values and secrets such as API keys, database URLs, or environment modes.
Hardcoding them is insecure and inflexible — instead, we load them from **environment variables** or a `.env` file.

This notebook shows:
- How to read environment variables with `os.getenv`
- How to manage them with a `.env` file using `python-dotenv`
- Safe handling practices (never commit secrets)
- A minimal configuration pattern for apps

## 1️⃣ Reading environment variables with `os.getenv`

In [None]:
import os

# Read an environment variable
api_key = os.getenv("OPENAI_API_KEY")
print("API key:", api_key)

# You can provide a default value if not found
debug_mode = os.getenv("DEBUG", "false")
print("Debug mode:", debug_mode)

`os.getenv(name, default)` returns `None` if the variable is missing unless a default is provided.

## 2️⃣ Loading a `.env` file with `python-dotenv`

In [None]:
from dotenv import load_dotenv

# Load variables from a .env file in the project root
load_dotenv()

api_key = os.getenv("OPENAI_API_KEY")
app_env = os.getenv("APP_ENV", "dev")
print("Environment:", app_env)
print("Loaded key:", api_key)

Typical `.env` file example:
```bash
OPENAI_API_KEY=sk-xxxxx
APP_ENV=production
DATABASE_URL=postgresql://user:pass@localhost/db
```

These variables will now be available in your program via `os.getenv()`.

## 3️⃣ Good practices for environment management

✅ **Do:**
- Keep a `.env.example` file (without real secrets) under version control.
- Use clear variable names like `APP_ENV`, `DEBUG`, `API_URL`, `SECRET_KEY`.
- Use defaults for non-sensitive configuration.

🚫 **Avoid:**
- Committing `.env` files containing real secrets.
- Printing secret values to logs.
- Mixing dev/test/prod configs in one file.

## 4️⃣ Minimal configuration pattern using a class

In [None]:
from pydantic import BaseModel

class AppConfig(BaseModel):
    env: str
    debug: bool
    openai_api_key: str | None = None

config = AppConfig(
    env=os.getenv("APP_ENV", "dev"),
    debug=os.getenv("DEBUG", "false").lower() == "true",
    openai_api_key=os.getenv("OPENAI_API_KEY"),
)

print(config)

You can combine `os.getenv` and `pydantic.BaseModel` to build lightweight, type-checked configuration objects.

## 5️⃣ Summary
- Use `os.getenv()` to read environment variables
- Use `python-dotenv` to load `.env` files for local development
- Never commit secrets — only `.env.example`
- Build structured config objects with Pydantic when needed

> Environment management keeps secrets safe and configuration flexible.