• Do not commit payment secrets, wallet signing material, broker credentials, user records, or API keys.
• Use .env files for local secrets and keep .env ignored.
• Checkout pages in this public architecture must remain non-functional unless backed by secure server-side code.
• Do not store user data in the repository.

Report security concerns to shawsignaldev@proton.me.