This project uses sensitive credentials that should NEVER be pushed to GitHub or any public repository.

Your .gitignore file protects:

• ✅ .env - Contains your actual API keys (NEVER committed)
• ✅ .venv/ - Python virtual environment
• ✅ __pycache__/ - Python bytecode
• ✅ *.log - Log files

• ✅ .env.example - Template with placeholders only
• ✅ Source code files (*.py)
• ✅ requirements.txt
• ✅ README.md
• ✅ Dockerfile, docker-compose.yml

Always run this before pushing to GitHub:

./check_secrets.sh

This script checks for:

• API keys accidentally committed
• Real credentials in .env.example
• Missing .gitignore file

# Initialize git
git init

# Add remote (replace with your GitHub repo)
git remote add origin https://github.com/yourusername/upstox-chatbot.git

# Run security check
./check_secrets.sh

# If check passes, add files
git add .

# Commit
git commit -m "Your commit message"

# Push
git push origin main

# If you just committed but haven't pushed
git reset HEAD~1
git add .gitignore .env.example  # Add only safe files
git commit -m "Initial commit"

# Remove .env from git tracking
git rm --cached .env

# Commit the removal
git commit -m "Remove .env from tracking"

# Push
git push origin main --force

⚠️ Important: If secrets were already pushed publicly, consider them compromised:

1. Revoke the exposed API keys immediately
2. Generate new keys from provider dashboards
3. Update your local .env file

For production deployments, use:

1. Environment Variables (Recommended)

   export UPSTOX_API_KEY="your_key"
   export GOOGLE_API_KEY="your_key"

2. Secret Management Services

   • AWS Secrets Manager
   • Google Cloud Secret Manager
   • Azure Key Vault
   • HashiCorp Vault

3. Docker Secrets (for Docker deployments)

   docker run --env-file .env.production your-image

When using Docker, never include .env in your image:

# ✅ Good - .dockerignore prevents this
COPY . /app

# ❌ Bad - Never do this
COPY .env /app/.env

Use environment variables or Docker secrets instead:

# Pass secrets at runtime
docker run -e UPSTOX_API_KEY=$UPSTOX_API_KEY your-image

Regularly rotate your keys:

1. Upstox API Keys

   • Go to https://account.upstox.com/developer/apps
   • Regenerate keys
   • Update .env
   • Restart services

2. Google Gemini API

   • Go to https://makersuite.google.com/app/apikey
   • Delete old key, create new
   • Update .env

3. Access Tokens

   • Upstox tokens expire daily
   • Re-run python upstox_auth.py to refresh

Before pushing code:

• Ran ./check_secrets.sh - all checks passed
• Verified .env is in .gitignore
• Checked .env.example has no real credentials
• Reviewed git status - no sensitive files staged
• Confirmed no API keys in code comments
• Tested locally after pull to ensure .env not lost

• GitHub Security Best Practices
• OWASP Secrets Management
• 12 Factor App - Config

Remember: The only secret you can share is .env.example with placeholders! 🔒