Never commit API keys, paste them into issues, or include them in screenshots.

The web demo supports model-provider credentials through server-side environment variables:

• Qwen: DASHSCOPE_API_KEY
• OpenAI: OPENAI_API_KEY

The local file demo/.env.local is ignored by Git. Public deployments should store secrets in the hosting provider's encrypted environment-variable system.

For hackathon demos, use a dedicated deployment-only key with provider-side budget controls or balance alerts. The app also supports an optional VISITOR_KEY_ONLY=true mode for self-hosted no-shared-key experiments; visitor keys in that mode are request-scoped and should still be treated as sensitive.

If a key is exposed, revoke it immediately and create a replacement.

Do not open a public issue for a vulnerability that could expose credentials or user content. Contact the repository owner privately with reproduction steps and the affected version.