Skip to content

Security: liam-betsworth/unit

Security

SECURITY.md

Security Checklist for Public Repository

✅ Completed Security Measures

Environment Variables

  • Created .gitignore at root level
  • Added .env to .gitignore
  • Added .env.local to .gitignore
  • Added .env.*.local to .gitignore
  • Created agent/.env.example with placeholder values
  • Created frontend/.env.example with safe defaults
  • Verified actual .env files are ignored by git

Database & Data Files

  • Added *.db to .gitignore
  • Added *.db-journal to .gitignore
  • Added agent/agent_histories/ to .gitignore
  • Verified backend/data/unit.db is ignored

API Keys & Secrets

  • No real API keys in committed files
  • Only placeholder keys in .env.example files
  • OpenAI API key is in .env (ignored)
  • No hardcoded secrets in source code

Python & Node

  • Added __pycache__/ to .gitignore
  • Added node_modules/ to .gitignore
  • Added venv/ and virtual environment folders
  • Added .next/ build directory

IDE & OS Files

  • Added .vscode/ to .gitignore
  • Added .DS_Store to .gitignore
  • Added IDE-specific files

Setup Instructions for New Contributors

1. Clone Repository

git clone <repo-url>
cd unit

2. Set Up Environment Variables

Agent (.env):

cd agent
cp .env.example .env
# Edit .env and add your OpenAI API key

Frontend (.env.local):

cd frontend
cp .env.example .env.local
# Defaults should work, but adjust if needed

3. Never Commit Secrets

  • Always use .env.example as a template
  • Never commit actual .env files
  • If you accidentally commit a secret:
    1. Immediately revoke/rotate the key
    2. Remove from git history using git filter-branch or BFG Repo-Cleaner
    3. Force push (if working on a branch)

Files Excluded from Git

Environment Files

  • agent/.env
  • frontend/.env.local
  • Any .env.* files

Data Files

  • backend/data/*.db
  • agent/agent_histories/*.json
  • Any *.db or *.sqlite files

Build & Cache

  • node_modules/
  • __pycache__/
  • .next/
  • venv/, env/, .venv/

IDE & OS

  • .vscode/
  • .DS_Store
  • *.swp, *.swo

Pre-Commit Checklist

Before committing, always verify:

# Check git status
git status

# Verify no .env files are staged
git status | grep ".env"

# Search for potential secrets in staged changes
git diff --cached | grep -i "sk-proj-"
git diff --cached | grep -i "api[_-]key"

# Check what's being ignored
git status --ignored | grep -E "\.env|\.db|agent_histories"

Emergency: Secret Committed

If you accidentally commit a secret:

  1. Immediately revoke the secret

  2. Remove from git history

    # Using BFG Repo-Cleaner (recommended)
bfg --replace-text passwords.txt

# Or using git filter-branch
git filter-branch --force --index-filter \
  "git rm --cached --ignore-unmatch path/to/file" \
  --prune-empty --tag-name-filter cat -- --all

  3. Force push (if already pushed)

    git push --force --all

  4. Notify team members to rebase their branches

Verification Commands

Run these before making the repository public:

# Check for common secret patterns
git grep -i "api[_-]key" -- . ':!*.example' ':!SECURITY.md'
git grep -i "sk-proj-" -- . ':!*.example' ':!SECURITY.md'
git grep -i "password" -- . ':!*.example' ':!SECURITY.md'

# Verify .env files are ignored
git check-ignore agent/.env frontend/.env.local

# Check staging area
git ls-files | grep -E "\.env$|\.db$"

All commands should return empty or confirm files are ignored.

There aren’t any published security advisories