• .tortoise/config.json in any project using Tortoise (may contain api_key)
• API keys, tokens, passwords, or private endpoint URLs with embedded credentials
• Files under .tortoise/backups/ (copies of your source tree)

This repository ships only config.example.json with api_key set to null.

tortoise init
tortoise config --endpoint http://localhost:11434/v1 --model your-model
# Optional — stored only in .tortoise/config.json (gitignored by init):
tortoise config --api-key YOUR_KEY

Or copy the example:

mkdir -p .tortoise
cp config.example.json .tortoise/config.json

From a project that uses Tortoise:

git status   # ensure .tortoise/config.json is not staged

If you find a security issue, open a private report with the maintainer rather than a public issue.