Never publish:

• real API keys;
• real private keys;
• real JWT tokens;
• real auth headers;
• real cookies;
• production-only internal paths that expose secrets.

All runtime credentials must be provided by the operator in a local private env file. The repository should only contain examples, never live secrets.

This module is designed around explicit user confirmation. Monitoring is safe to automate, but placing, replacing, and cancelling orders should remain confirmation-gated unless the operator intentionally changes that rule.

Before publishing:

• remove exported local packages that contain personal handoff notes;
• remove temporary test artifacts;
• ensure docs do not expose secret values;
• ensure examples use placeholders only.