This checklist ensures no sensitive information is committed to the public repository.
- Username "nativeapps" removed from all documentation
- Absolute paths
/Users/nativeapps/removed from docs - Personal directory paths sanitized
- Author information generalized to "ProxyMe Contributors"
- All
script.pyandscript_*.pyfiles deleted - Build logs (
build.log,build-jdk17.log) deleted - Helper scripts (
proxy-helper.sh) removed - Internal session notes deleted
- Development markdown files removed
- Old versioned documentation cleaned up
- .env files listed in .gitignore
- API keys never hardcoded
- No example .env with real keys
- Keys stored in user home directory (
~/.proxyme/) - .env files excluded from git
- Proper file permissions documented (600 for .env)
- Old repository URLs removed
- GitHub URLs updated to
native-apps/proxyme - Package.json files updated
- CHANGELOG.md links updated
- Documentation links corrected
- .env and environment files
- API keys and secrets patterns
- Build artifacts (except release/)
- Log files
- OS-specific files
- IDE configuration files
- Personal notes and temp files
- User data directories
Run these commands to verify no sensitive data remains:
grep -r "nativeapps" . --include="*.md" --include="*.java" --include="*.kt" --exclude-dir=".git" --exclude-dir="docs/archive" --exclude-dir="build"
# Should return NO results (except in archive docs which is OK)grep -r "/Users/nativeapps" . --include="*.md" --include="*.java" --include="*.kt" --exclude-dir=".git" --exclude-dir="docs/archive" --exclude-dir="build"
# Should return NO results (except in archive docs which is OK)grep -rE "(sk-[a-zA-Z0-9]{20,}|pplx-[a-zA-Z0-9]{20,}|sk-ant-[a-zA-Z0-9]{20,})" . --exclude-dir=".git" --exclude-dir="node_modules" --exclude-dir="build"
# Should return NO resultsgrep -rE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" . --include="*.md" --include="*.java" --exclude-dir=".git" --exclude-dir="node_modules"
# Review any results - should be generic or intentionalgit status --ignored
# Review ignored files - should include .env, logs, etc.git diff --cached --name-only | xargs -I {} sh -c 'echo "=== {} ===" && cat {}'
# Review all staged files manuallyVerify these files contain NO sensitive information:
- README.md
- INSTALL.md
- BUILD.md
- CONTRIBUTING.md
- TROUBLESHOOTING.md
- CHANGELOG.md
- ROADMAP.md
- LICENSE
- docs/**/*.md (except archive)
# Check each major file
for file in README.md INSTALL.md BUILD.md CONTRIBUTING.md TROUBLESHOOTING.md; do
echo "=== Checking $file ==="
grep -i "nativeapps\|/Users/\|api.*key.*=\|password\|secret" "$file" || echo "✓ Clean"
doneEnsure proper API key handling:
- Keys stored in
~/.proxyme/proxy/.env - Never in project directory
- Never in version control
- Documented as user-provided
- Template files use placeholders only
- UI masks API keys in display
cat "Node.js Proxy Cloud AI APIs/.env.template" 2>/dev/null || cat "src/main/resources/proxy/.env.template" 2>/dev/null
# Should contain ONLY placeholders like: DEEPSEEK_API_KEY=your-key-hereEnsure no sensitive directories are included:
# List all committed files
git ls-tree -r HEAD --name-only | head -50
# Should NOT include:
# - Personal directories
# - .env files
# - Log files with real data
# - API key files
# - Backup files with sensitive dataPerform a test clone to verify security:
# Clone to temporary directory
cd /tmp
git clone /path/to/ProxyMe proxyme-test
cd proxyme-test
# Verify no sensitive files
find . -name "*.env" -o -name "*secret*" -o -name "*key*" -type f
# Should return ONLY .env.template or .gitignore references
# Check for absolute paths
grep -r "/Users/" . --exclude-dir=".git" --exclude-dir="docs/archive"
# Should return NO results (except archive)
# Cleanup
cd ..
rm -rf proxyme-testImmediately remove if found:
- ❌ Real API keys (sk-..., pplx-..., sk-ant-...)
- ❌ Passwords or credentials
- ❌ Personal email addresses (except generic/public)
- ❌ Absolute file paths with usernames
- ❌ Private repository URLs
- ❌ Internal company/project names
- ❌ Development machine hostnames
- ❌ IP addresses (except localhost/127.0.0.1)
- ❌ Database connection strings
- ❌ SSH keys or certificates
Before pushing to GitHub, verify:
# Check git log for sensitive commit messages
git log --oneline | grep -i "password\|secret\|key\|private"
# Should be empty or reviewed
# Check all tracked files
git ls-files | wc -l
# Should be reasonable number (not including sensitive files)
# Verify .gitignore is working
git status --ignored | grep -i "\.env\|\.log"
# Should show these as ignored
# Final scan
git grep -i "password\|secret\|private.*key" -- '*.md' '*.java' '*.kt' '*.json'
# Review all results - should be documentation onlyBefore deploying to GitHub, confirm:
- Ran all verification commands above
- Reviewed flagged items
- No real API keys found
- No personal paths found
- No sensitive usernames found
- .gitignore is comprehensive
- Documentation is clean
- Test clone performed successfully
- All red flags addressed
Signed off by: ___________________
Date: ___________________
If you discover sensitive information after pushing to GitHub:
- DO NOT just delete the file - Git history still contains it
- Rotate any exposed credentials immediately
- Use git-filter-repo or BFG Repo-Cleaner to remove from history
- Force push the cleaned history
- Notify anyone who cloned the repository
# Install git-filter-repo
brew install git-filter-repo # macOS
# or: pip install git-filter-repo
# Remove sensitive file from entire history
git filter-repo --path path/to/sensitive/file --invert-paths
# Force push
git push origin --force --all- GitHub's Guide to Removing Sensitive Data
- Git Secrets Tool
- BFG Repo-Cleaner
- GitGuardian - Automated secret scanning
Remember: Once pushed to GitHub, assume data is public forever. Better to be overly cautious!