Security Notes Repository should remain private. Do NOT commit real API keys/tokens. Use env vars at bootstrap time. Rotate all keys if this repo is ever exposed.