CRITICAL: Never commit your actual credentials to version control. This includes:

• .env files with real API keys or passwords
• Any files containing SMTP credentials
• API keys or tokens
• Personal email addresses used in testing

The .gitignore file in this project is configured to exclude:

.env
.env.local
.env.*.local
__pycache__/
*.pyc
venv/

1. Verify .gitignore is working:

   git status

   Your .env files should NOT appear in the list

2. Check for hardcoded credentials:

   grep -r "kms_\|ak_\|sk_" --include="*.py" .

   This should only return placeholder values in .env.example files

3. Use environment variables: All examples use os.getenv('VARIABLE_NAME') - never hardcode credentials

The .env.example files contain placeholder values only:

API_KEY=kms_xxxx
SMTP_USER=xxxxx
SMTP_PASSWORD=xxxxx

These are safe to commit and help users understand required configuration.

1. Immediately revoke the exposed credentials in your Keplers.email dashboard
2. Remove them from git history (use tools like git-filter-repo)
3. Generate new credentials
4. Never just delete the file - git history retains it

If you discover a security vulnerability in these examples, please report it by:

• Opening a GitHub issue (for non-sensitive issues)
• Contacting the repository maintainer directly (for sensitive issues)

• ✅ Use .env files for local development
• ✅ Use environment variables in production
• ✅ Keep credentials in secure vaults (1Password, AWS Secrets Manager, etc.)
• ✅ Rotate credentials regularly
• ✅ Use virtual environments to isolate dependencies
• ❌ Never share credentials in chat, email, or screenshots
• ❌ Never commit .env files
• ❌ Never hardcode credentials in source code