NEVER commit API keys to version control!
This project requires API keys for AI services (Gemini, OpenRouter). All API keys must be stored securely using environment variables or .env files.
$env:GEMINI_API_KEY="your_gemini_api_key_here"
$env:OPENROUTER_API_KEY="your_openrouter_api_key_here"set GEMINI_API_KEY=your_gemini_api_key_here
set OPENROUTER_API_KEY=your_openrouter_api_key_hereexport GEMINI_API_KEY="your_gemini_api_key_here"
export OPENROUTER_API_KEY="your_openrouter_api_key_here"-
Copy the example file:
cp .env.example .env
-
Edit
.envwith your actual keys:GEMINI_API_KEY=your_actual_gemini_key_here OPENROUTER_API_KEY=your_actual_openrouter_key_here
-
Load environment variables (optional):
# Install python-dotenv pip install python-dotenv # In your script from dotenv import load_dotenv load_dotenv()
- Visit: https://makersuite.google.com/app/apikey
- Sign in with your Google account
- Click "Create API Key"
- Copy the key (starts with
AIzaSy...)
- Visit: https://openrouter.ai/keys
- Sign up or log in
- Create a new API key
- Copy the key (starts with
sk-or-...)
# BAD - Hardcoded API key in source code
os.environ['GEMINI_API_KEY'] = 'YOUR_API_KEY_HERE' # NEVER hardcode keys!# GOOD - Load from environment
GEMINI_API_KEY = os.getenv("GEMINI_API_KEY")
if not GEMINI_API_KEY:
raise ValueError("GEMINI_API_KEY environment variable not set")The following files are automatically excluded from git:
.env- Your actual API keys.env.local- Local environment overrides*.key- Any key files*.pem- Certificate filessecrets.json- Secret configuration filescredentials.json- Credential files
Before committing, always check:
# Search for potential API keys in staged files
git diff --cached | grep -i "api_key\|apikey\|secret\|password"
# Check git history for exposed keys
git log -p | grep -i "AIzaSy\|sk-or-"-
Immediately revoke the key:
- Gemini: https://makersuite.google.com/app/apikey
- OpenRouter: https://openrouter.ai/keys
-
Generate a new key
-
Remove from git history:
# Use git filter-branch or BFG Repo-Cleaner # See: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository
-
Force push to remote:
git push --force
- Use different keys for development and production
- Rotate keys regularly (every 90 days recommended)
- Set up key expiration where supported
- Monitor API usage for unusual activity
- Use least privilege - only grant necessary permissions
- Never share keys via email, chat, or screenshots
- Use secrets management for production (AWS Secrets Manager, Azure Key Vault, etc.)
The MicroCFO server includes fallback modes that work without API keys:
# Agent A will use mock data if no API key is set
result = scan_invoice_document('test.jpg', use_mock=True)
# Agent D uses template-based generation as fallback
result = generate_negotiation_draft(...) # Works without API keysIf you discover a security vulnerability, please:
- DO NOT open a public issue
- Email the maintainer directly
- Include details of the vulnerability
- Allow time for a fix before public disclosure
Before making your repository public:
- All API keys removed from source code
-
.envfile added to.gitignore -
.env.examplecreated with placeholder values -
SECURITY.mdreviewed and understood - Git history checked for exposed keys
- All team members briefed on security practices
- API key rotation schedule established
Remember: Security is everyone's responsibility. When in doubt, ask! π