If you discover a security vulnerability, please do NOT open a public issue. Instead, send a private message to the repository maintainer.

This application handles sensitive credentials. Please follow these guidelines:

The following files are automatically excluded by .gitignore:

• .env - Contains API keys and secrets
• credentials.json - Google OAuth client credentials
• token.json - OAuth access and refresh tokens
• *.log - Log files that may contain sensitive data
• exports/ - Output directory containing processed emails

Always verify no credentials are staged:

# Check what files will be committed
git status

# Review the actual changes
git diff --cached

# Ensure sensitive files are not staged
git diff --cached --name-only | grep -E "(\.env|credentials\.json|token\.json)" && echo "WARNING: Sensitive files staged!"

1. Immediately revoke the exposed credentials:

   • For Google OAuth: Go to Google Cloud Console → APIs & Services → Credentials → Delete the exposed OAuth client
   • For API keys: Regenerate keys in your MiniMax/OpenAI dashboard

2. Remove from Git history (if pushed):

   # Remove file from history
   git filter-branch --force --index-filter \
   'git rm --cached --ignore-unmatch credentials.json token.json .env' \
   --prune-empty --tag-name-filter cat -- --all
   
   # Force push (warning: rewrites history)
   git push origin --force --all

3. Rotate all exposed credentials immediately

This application uses minimal OAuth scopes:

• https://www.googleapis.com/auth/gmail.readonly - Read-only access to Gmail

The application CANNOT:

• Send emails
• Delete emails
• Modify your inbox
• Access other Google services

• Store API keys only in .env file
• Never hardcode API keys in source code
• Use environment-specific keys (dev/staging/production)
• Rotate keys periodically