• Never commit .env or any file containing credentials.
• Use .env.example for non-sensitive defaults only.
• Set DB credentials through environment variables.
• Rotate credentials if they have ever appeared in git history.

• Use a dedicated runtime user with least required privileges.
• Keep administrative users separate from ingestion users.
• Restrict DB network access to trusted hosts/VPC/private network.
• Enable SSL/TLS for non-local database connections.

Before making the repository public:

1. Confirm git status has no secret files staged.
2. Search for potential secret patterns:
   • passwords
   • API keys
   • tokens
3. Verify .gitignore includes local secret files (.env*).
4. Regenerate credentials used during development.