Use this checklist before publishing your repository to ensure all secrets are secure.
- Removed hardcoded Supabase URL from
src/lib/supabase.ts - Removed hardcoded Supabase anon key from
src/lib/supabase.ts - Created
.env.examplewith placeholder values - Updated
.gitignoreto exclude.envfiles - Created
src/vite-env.d.tsfor TypeScript environment variable types - Configured environment variables using
import.meta.env.VITE_* - Verified secrets removed - No hardcoded credentials found in codebase
- Verify no secrets in code: Run
git grep -i "supabase\|api.*key\|secret"to check for any remaining secrets - Check
.envis not committed: Ensure.envis in.gitignoreand not tracked by git - Review all markdown files: Remove any internal documentation with sensitive info
- Clean up TODO and notes: Remove or sanitize internal planning documents
- README.md is complete with setup instructions
- DEPLOYMENT.md explains Netlify deployment process
- All placeholder values are clearly marked (e.g.,
your-project-id) - License file added (if applicable)
Review these files for any sensitive information:
-
CLAUDE.md- Internal instructions (consider removing or sanitizing) -
TODO.md- Internal planning (already in.gitignore) -
document_draft.md- Draft docs (already in.gitignore) -
IMPLEMENTATION_SUMMARY.md- Implementation notes (review for secrets) -
CLASS_FEATURE_GUIDE.md- Feature documentation (should be safe) -
GOOGLE_API_ENDORSEMENT.md- API documentation (review)
To check if secrets are in git history:
git log -p | grep -i "supabase\|nbzgayazrhhcfgfrgglc"If secrets found in history, you have two options:
Option 1: Start Fresh (Recommended)
# This repository is already a duplicate, so you can simply:
# 1. Create a new GitHub repository
# 2. Initialize git fresh (no history):
rm -rf .git
git init
git add .
git commit -m "Initial commit"
git remote add origin <new-repo-url>
git push -u origin mainOption 2: Clean Git History (Advanced)
Use tools like git-filter-repo or BFG Repo-Cleaner to remove secrets from history.
- Row Level Security (RLS) enabled on all tables
- Authentication policies configured for teacher/student access
- Database policies tested to ensure proper access control
- Service role key is NEVER used in client code (only in edge functions)
- Edge functions deployed to Supabase with
GOOGLE_AI_API_KEYsecret set - CORS settings configured in Supabase (if needed)
- Gemini API key stored as Supabase secret (not in code)
- API usage limits reviewed and appropriate for public use
- API key restrictions configured in Google Cloud Console (if available)
- Clone to fresh directory and test setup process
- Follow README instructions from scratch to verify they work
- Test local development with
.envfile - Test deployment to Netlify with environment variables
- Create GitHub repository (public or private)
- Push code to GitHub
- Add repository description and topics/tags
- Configure repository settings (Issues, Wiki, etc.)
- Add contributing guidelines (if accepting contributions)
✅ Safe to commit:
.env.examplewith placeholder values- Public documentation
- Source code without secrets
- Configuration files (vite.config.ts, etc.)
❌ NEVER commit:
.envfiles- Actual API keys or secrets
- Supabase service role key
- Database connection strings with passwords
- Private documentation with sensitive info
Local Development:
cp .env.example .env
# Edit .env with your actual valuesNetlify Production:
- Site Settings → Environment Variables
- Add
VITE_SUPABASE_URLandVITE_SUPABASE_ANON_KEY - Deploy
Supabase Edge Functions:
supabase secrets set GOOGLE_AI_API_KEY=your-key-hereIf you accidentally expose secrets:
-
Immediately rotate all secrets:
- Generate new Supabase anon key
- Create new Google AI API key
- Update all deployments
-
Check git history for the exposed secrets
-
If in git history:
- Start fresh repository (recommended)
- OR use git history rewriting tools
-
Update all environments:
- Local
.envfiles - Netlify environment variables
- Supabase secrets
- Local
If you have questions about security: