This paper project should need almost no secrets. Public data adapters use no credentials, SQLite is local, and test fixtures are versioned. Environment variables remain useful for operational settings such as an optional email relay or an AI provider used for source summarization. Treat every secret as a liability: collect the minimum, restrict its purpose, and make the application useful without it.
Create .env.example with names and safe placeholders only:
APP_ENV=development
PAPER_DB_PATH=var/paper_events.sqlite3
LOG_LEVEL=INFO
LLM_API_KEY=
ALERT_SMTP_HOST=
ALERT_SMTP_USER=
ALERT_SMTP_PASSWORD=
ALERT_TO=
The real .env belongs in .gitignore. Load it locally with python-dotenv, then validate values into a settings object. Never log the environment, interpolate secrets into exceptions, embed them in URLs, or include them in bug screenshots. Redaction should match keys and common authorization formats before an event reaches console or storage.
Separate secrets from non-secret configuration. PAPER_DB_PATH and LOG_LEVEL may be environment-specific but are not confidential. LLM_API_KEY and SMTP credentials are confidential. The bot must start in a reduced offline mode when optional secrets are absent: fixture research, deterministic rules, paper fills, tests, and local reports should still work. Missing alert credentials should disable email with a visible health warning, not disable local logging.
Never invent a venue credential “for later.” A paper-only system does not accept exchange keys, wallet phrases, private keys, or authenticated trading tokens. Add startup rejection for suspicious environment names such as WALLET_PRIVATE_KEY and EXCHANGE_SECRET. This converts a policy into an enforceable boundary.
Rotation means replacing a compromised value at the provider, updating the runtime secret store, restarting safely, and checking logs for exposure. Deleting a value from the latest Git commit is insufficient if it exists in history. If exposure occurs, revoke first; cleanup comes second.
🇵🇰 Pakistan Angle
Shared laptops, repair shops, screenshots sent over WhatsApp, and copied project ZIPs create practical leakage routes. Keep .env outside shared folders, lock the operating-system account, and send .env.example, never .env. Do not place CNIC, banking, Easypaisa, JazzCash, or wallet information in environment files for this course.
Hands-On Exercise
Add .env.example, .gitignore, and a settings validator. Write tests for: required APP_ENV, invalid log level, missing optional LLM key, and a forbidden WALLET_PRIVATE_KEY. Add a redaction test proving Bearer abc123 and values under keys ending _SECRET, _TOKEN, _PASSWORD, or _KEY do not appear in logs.
Completion Rubric
- Repository history contains no real secret value.
- Optional integrations fail into a documented reduced mode.
- Forbidden trading credential names stop startup.
- Logs and errors redact standard secret patterns.
- Rotation and exposure response are documented.
Sources
- python-dotenv project documentation
- OWASP secrets management cheat sheet
- GitHub guidance for removing sensitive data
Key takeaway: A research bot minimizes secrets, rejects trading credentials, and remains useful in a safe offline mode.