Security Policy β egos-lab π¨ Reporting Vulnerabilities If you discover a security vulnerability, please email [email protected]
π Rules for All Contributors (Humans AND AI Agents)
Never hardcode secrets in source code, comments, or commit messagesNever commit .env files β they are gitignored for a reasonNever log sensitive values (API keys, passwords, tokens) to consoleNever include credentials in AI "thinking" comments (e.g., // the password is X)Never paste .env contents into code as literal stringsNever commit connection strings with embedded passwords
Always use process.env.VAR_NAME to access secretsAlways add new env vars to .env.example (without real values)Always run the pre-commit hook β install with scripts/setup-hooks.shAlways rotate secrets immediately if accidentally exposedAlways use the GitGuardian dashboard to monitor for incidents
Layer
Tool
Status
Pre-commit
scripts/hooks/pre-commitβ
Active
Scanning Config
.gitleaks.tomlβ
Active
Remote Monitoring
GitGuardian
β
Active
Git Ignore
.gitignore (env files)β
Active
π Environment Variables All secrets live exclusively in .env (never committed). See .env.example for required variables.
Variable
Purpose
Rotation Notes
OPENROUTER_API_KEYAI model access
Rotate via OpenRouter dashboard
EXA_API_KEYWeb search
Rotate via Exa dashboard
SERPER_API_KEYGoogle SERP search
Rotate via serper.dev
SUPABASE_SERVICE_ROLE_KEYDB admin access
Rotate via Supabase Settings > API
SUPABASE_DB_PASSWORDDirect Postgres
Rotate via Supabase Settings > Database
GITHUB_PERSONAL_ACCESS_TOKENRepo access
Rotate via GitHub Settings > Tokens
GITHUB_TOKEN / GITHUB_PERSONAL_ACCESS_TOKENServer-side GitHub API access
Rotate via GitHub Settings > Tokens
Date
Incident
Status
2026-02-18
SUPABASE_DB_PASSWORD hardcoded in deploy_nexus_schema.ts comments (commit 9818f4b) β detected by GitGuardianβ
Remediated β script cleaned, password rotation recommended
# Install pre-commit hook# Or use the setup script