Environment Variable Audit

Format: Check if your project has any hardcoded secrets.

Search for these patterns:

- API keys (sk-, pk-, key-)
- Database passwords
- JWT secrets
- OAuth credentials
- Third-party service tokens

Correct approach:

// Wrong: Hardcoded
const apiKey = "sk-proj-xxxxx"

// Correct: Environment variables
const apiKey = process.env.OPENAI_API_KEY
if (!apiKey) throw new Error('API key not configured')

Checklist:

• Is the .env file in .gitignore?
• Is there a .env.example file (with only variable names, no values)?
• Are there any accidentally committed secrets in Git history?