- No live credentials in Git, ever: full API keys, access tokens, cookies, SSH private keys, passwords, seed phrases, card CVVs, one-time codes, or any config/log that can directly log in, transfer money, or call a paid service. A private repo is not a password manager.
- Real secrets live in the OS keychain, a password manager, environment variables, or gitignored local files.
- Any third-party or "free" LLM API key pasted into a chat is treated as already leaked: never written to a file, never committed, never echoed back.
- Third-party raw data (dictionary dumps, question banks) stays in a gitignored
_external-refs/directory with a tracked curation ledger, so the data is rebuildable but never republished.
If you find sensitive data accidentally published in this repository, please open a private security advisory or contact the maintainer; the offending content will be purged from history, not just deleted.