If you find a security issue, please don't open a public GitHub issue.

Email me directly: open the most recent commit on main and use the address in the author's GitHub profile, or DM @manujajay on GitHub.

I'll acknowledge within a few business days and aim to ship a fix within two weeks for anything reproducible.

• .env — never commit. It's already gitignored. If you accidentally push one, rotate every key it contained before doing anything else.
• Supabase anon key — safe to ship to the browser. Security depends entirely on your Row-Level-Security policies. Set them up before going to production.
• Supabase service_role key — server-side only. It bypasses RLS entirely. Treat it like a root password.
• FAL_KEY — server-side only. Hits your billing.
• MAVEY_API_KEY — your shared secret for the public API. Rotate it if it ever appears in a screenshot, log, or chat.

1. Rotate first. Every provider has a "regenerate" button — use it. Old key is dead the moment you click.
2. Then rewrite history with git filter-repo:

   git filter-repo --invert-paths --path .env
   git push --force-with-lease

   Note: rotation alone is usually enough. History rewrites only matter if the secret can't be revoked.