This is a personal demo project. There is no formal support SLA, but security issues should be reported privately before public disclosure.
Do not commit secrets to this repository.
Examples of secrets:
GIGACHAT_AUTH_KEY- OAuth access tokens
Authorization: Basic ...headersAuthorization: Bearer ...headers- Private SSH keys and API keys
Use local .env files only. Keep only placeholders in .env.example files.
Runtime credentials are backend-only. The frontend must call the local proxy and must not receive GigaChat credentials directly.
For corporate TLS interception, use GIGACHAT_CA_CERT_PATH with a trusted PEM certificate instead of disabling TLS verification globally.
Before every push, run:
npm run security:secretsEnable repository hooks once:
git config core.hooksPath .githooksAfter that, every commit is checked automatically.
If a secret was exposed:
- Revoke the leaked credential immediately.
- Generate a new credential.
- Replace local values and verify no secret is in tracked files.
- Run
npm run security:secrets. - If the secret was committed, clean git history and force-push only after team alignment.
Report security issues privately to the repository maintainers.