Do not commit real credentials. Keep .env.example empty and use .env.tpl for 1Password references only.

CI runs build, security gates, and production dependency audit on every push and pull request.

Report security issues privately to the repository owner. Rotate exposed credentials before discussing the incident publicly.