- Never commit
.env.local, service-role keys, LLM keys, Post Bridge keys, or media provider keys. - Browser code may use only explicitly public variables such as
NEXT_PUBLIC_SUPABASE_URLand the Supabase anon/publishable key. - Server-only credentials belong in deployment environment variables.
- BYOK Post Bridge keys are AES-256-GCM encrypted with
POSTBRIDGE_CREDENTIAL_ENCRYPTION_KEYbefore database storage.
- Revoke or rotate it at the provider immediately.
- Replace it in local and deployment environment settings.
- Search all branches and tags for the exposed value.
- Rewrite history using a reviewed replacement file:
git filter-repo --replace-text replacements.txt --forceExample replacements.txt:
literal:EXPOSED_SECRET==>***REMOVED***- Coordinate a force push and require collaborators to re-clone.
Deleting a file in a later commit does not remove its earlier contents. A commit-message callback does not scrub file contents.
- Apply all migrations in order.
- Keep RLS enabled for every user-owned table.
- Use the service-role key only in trusted server code.
- The
project-assetsbucket is private; policies require the first path segment to matchauth.uid(). - Cross-project relationships are enforced by composite foreign keys.
TrendWatch accepts only HTTP(S), resolves all DNS answers, rejects private/reserved addresses, validates each redirect, permits at most three redirects, times out after eight seconds, accepts HTML, and streams at most 1MB.
This reduces SSRF risk but does not make arbitrary web scraping legally or operationally unrestricted. Respect platform terms and robots/access controls.