Do not commit WooCommerce credentials, SMTP passwords, .env, config.yaml,
SQLite data, or scraped customer/business data.
Use config.example.yaml as a template and keep the real config.yaml local.
Provider keys such as GROQ_API_KEY should be loaded from environment
variables.
If a credential is committed accidentally:
- Revoke it in WordPress/WooCommerce, email, or provider dashboards.
- Rotate the credential.
- Remove the secret from the repository before publishing another release.
Report issues privately to the maintainer first. Include redacted logs and the affected command or module.