This project is private and confidential. Only authorized personnel with explicit permission from StreetLevelTech1 may access, use, or contribute to this codebase.

See LICENSE for full terms.

NEVER commit to this repo:

• API Keys (Telegram, Groq, CoinGecko, Alpha Vantage, Tavily, Binance, Kraken)
• Database credentials
• Private encryption keys
• Personal information
• Auth tokens or passwords

Create .env file (NEVER commit this):

# .env (add to .gitignore)
TELEGRAM_BOT_TOKEN=your_token_here
GROQ_API_KEY=your_key_here
DATABASE_URL=your_db_url_here
ADMIN_USER_ID=your_id_here
CHANNEL_ID=your_channel_id_here

Load in code:

from core.config import cfg  # Already does this via dotenv

Ensure these are in .gitignore:

# Environment
.env
.env.local
.env.*.local

# Secrets
*.key
*.pem
secrets/
config/secrets.yml

# IDE
.vscode/
.idea/
*.swp
*.swo

# Python
__pycache__/
*.pyc
*.pyo
*.egg-info/
dist/
build/

# OS
.DS_Store
Thumbs.db

# Logs
*.log
logs/

# Database
*.db
*.sqlite
*.sqlite3

Before each commit:

# Check if any secrets are about to be committed
git diff --cached | grep -i "api_key\|token\|password\|secret"

Scan history for secrets:

# Using git-secrets (install first)
git secrets --scan

If you've ever committed a secret:

1. Immediately revoke it in the respective service
2. Generate a new one
3. Update your .env file
4. Force push (carefully) or use BFG repo-cleaner to remove from history
5. Alert your team

For Telegram Bot Token:

1. Go to https://t.me/BotFather
2. Select your bot
3. /revoke → /newtoken

For Groq API Key:

1. Go to https://console.groq.com/keys
2. Delete the compromised key
3. Create a new one

GitHub Settings → Collaborators & Teams:

• ✅ Only add trusted contributors
• ✅ Use role-based access (Admin/Maintain/Write)
• ✅ Require approval for direct push to main
• ✅ Enable branch protection rules

Branch Protection (Settings → Branches):

• ✅ Require pull request reviews
• ✅ Require status checks to pass
• ✅ Require branches to be up to date
• ✅ Restrict who can push

GitHub → Settings → Audit Log:

• Monitor who accessed the repo
• Track changes to settings
• Detect unauthorized access

1. Immediately make it private (if it's public)
2. Rotate ALL credentials (API keys, tokens, passwords)
3. Review recent commits for suspicious changes
4. Check GitHub Activity Log for unusual access
5. Notify your team if applicable
6. Consider re-creating the repo if severely compromised

Run these commands to see if secrets are in your repo:

# Check current uncommitted changes
git diff | grep -i "api_key\|token\|password\|secret"

# Check last 100 commits
git log -p -100 | grep -i "api_key\|token\|password\|secret" | head -20

# Check all branches
git log --all -p | grep -i "TELEGRAM_BOT_TOKEN\|GROQ_API_KEY" | head -20

If you find secrets:

1. Stop and fix immediately
2. Regenerate the credentials
3. Use git-filter-branch or BFG to remove from history
4. Force push (be careful!)

1. Never paste .env contents into GitHub
2. Use Render's Environment Variables UI:
   • Settings → Environment → Add Variable
   • Add each secret separately
3. Do NOT commit render.yaml with secrets
4. Use GitHub Secrets for CI/CD (if applicable)

1. Create .env locally (NOT in repo)
2. Load it at startup (already done via core.config)
3. Test that it loads correctly before pushing
4. Never share .env file with anyone

Before each deployment or major change:

• No secrets in recent commits?
• .gitignore has all sensitive paths?
• .env file is in .gitignore?
• Only authorized collaborators have access?
• GitHub branch protection enabled?
• All credentials rotated in last 90 days?
• Audit log reviewed for suspicious activity?
• Environment variables set on production server?

• GitHub: Keeping your account and data secure
• OWASP: Secrets Management Cheat Sheet
• git-secrets
• BFG Repo-Cleaner

Last Updated: June 19, 2026
Status: Active — Review this document regularly