Before making this repository public, you must rotate the following credentials that were previously committed to git history:
- GROQ_API_KEY - Generate a new API key from Groq Console
- BLOB_READ_WRITE_TOKEN - Generate a new token from Vercel Dashboard → Storage → Blob
- DATABASE_URL - Consider rotating the database password in Neon console (optional but recommended)
All sensitive configuration is stored in environment variables. Never commit:
.envfiles- API keys
- Database connection strings with credentials
- Tokens or secrets
Set these in Vercel Dashboard → Project Settings → Environment Variables:
DATABASE_URL- PostgreSQL connection string (from Neon or your database provider)LLM_PROVIDER- EithergroqoropenaiGROQ_API_KEY- Your Groq API key (if using Groq)OPENAI_API_KEY- Your OpenAI API key (if using OpenAI)BLOB_READ_WRITE_TOKEN- Vercel Blob storage token (optional, for resume storage)
- Copy
.env.exampleto.env - Fill in your actual credentials (never commit
.env) - The
.envfile is already in.gitignore
.envand.env.localfilesnode_modules/uploads/directory (local file storage)- Any files containing API keys or secrets
Before making this repo public:
- ✅ Rotate all exposed credentials (see above)
- ✅ Verify
.env.examplecontains only placeholders - ✅ Ensure
.gitignoreincludes all sensitive files - ✅ Update Vercel environment variables with new credentials
- ✅ Test that the app still works on Vercel after rotation
The app will continue to work on Vercel after making the repo public because:
- Environment variables are set in Vercel Dashboard (not in the repo)
- The code reads from
process.envwhich Vercel injects at runtime - No secrets are hardcoded in the source code
If you discover a security vulnerability, please report it responsibly.