StillHammer/confluent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
confluent/SECURITY.md
StillHammer 5602ce50be Prepare project for GitHub publication 
- Add comprehensive README.md with examples and quick start
- Add SECURITY.md with API key safety guidelines
- Add MIT LICENSE
- Add .gitattributes for line ending normalization
- Create .env.example templates (root + ConfluentTranslator)
- Update .gitignore (remove unused rules, add .env variants)
- Archive work documents to docs/archive/
- Remove temporary files (nul, prompt-*.json)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-10 08:57:43 +08:00

97 lines
2.6 KiB
Markdown
Raw Permalink Blame History

# Security Policy
## Sensitive Information
**IMPORTANT**: This repository contains code that requires API keys from third-party services (Anthropic, OpenAI).
### Environment Variables
**NEVER commit the `.env` file to version control.**
The `.env` file contains sensitive credentials:
- `ANTHROPIC_API_KEY` - Your Anthropic Claude API key
- `OPENAI_API_KEY` - Your OpenAI GPT API key
These keys provide access to paid services and **must remain private**.
### Setup Instructions
1. Copy `.env.example` to `.env`:
```bash
cp .env.example .env
```
2. Edit `.env` and add your actual API keys:
```env
ANTHROPIC_API_KEY=sk-ant-your-actual-key-here
OPENAI_API_KEY=sk-proj-your-actual-key-here
```
3. Verify `.env` is in `.gitignore`:
```bash
cat .gitignore | grep .env
# Should show: .env
```
### If You Accidentally Committed API Keys
If you accidentally committed a file containing API keys:
1. **Immediately revoke** the exposed keys:
- Anthropic: https://console.anthropic.com/settings/keys
- OpenAI: https://platform.openai.com/api-keys
2. Generate new API keys from the respective platforms
3. Update your `.env` file with the new keys
4. Remove the sensitive file from Git history:
```bash
# Remove file from history (dangerous - use with caution)
git filter-branch --force --index-filter \
"git rm --cached --ignore-unmatch .env" \
--prune-empty --tag-name-filter cat -- --all
# Force push (only if repository is private or you're sure)
git push origin --force --all
```
### Best Practices
- **Never** hardcode API keys in source code
- **Never** commit `.env` files
- Use `.env.example` as a template (without real keys)
- Rotate API keys regularly
- Use separate keys for development and production
- Monitor API usage for unexpected activity
## Reporting Security Issues
If you discover a security vulnerability in this project, please email the maintainer directly rather than opening a public issue.
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| Latest | :white_check_mark: |
| Older | :x: |
## Dependencies
This project uses third-party npm packages. Run `npm audit` regularly to check for known vulnerabilities:
```bash
cd ConfluentTranslator
npm audit
npm audit fix # Apply automatic fixes if available
```
## API Rate Limits
Be aware of API rate limits and costs:
- **Anthropic Claude**: Pay-per-use (check pricing at https://www.anthropic.com/pricing)
- **OpenAI GPT**: Pay-per-use (check pricing at https://openai.com/pricing)
Monitor your usage to avoid unexpected bills.
Reference in New Issue View Git Blame Copy Permalink