secrets — .env, api keys, and what not to commit9 / 9
.env, os.getenv, and the leak recovery you'll do at least once
Checkpoint
One last thing before we move on. Same surface as a write step — but the lesson doesn't complete until this passes.
Final drill. Build a "ready to commit?" guard. Write
audit_files(files) that takes a list of dicts, each shaped
{"path": "<filename>", "content": "<text>"}, and returns a list
of strings — one warning per problem found. Rules, applied in order:
- If a file's
pathmatches.envor starts with.env.(but not.env.example), appendf"do not commit {path}"and STOP checking that file (don't run the second rule on env files). - Otherwise, if the file's
contentcontains the substring"sk-ant-"or"sk-test-", appendf"hardcoded key in {path}".
Files matching neither rule produce no warnings.
Then the script will exercise four files and print every warning, one per line.
Expected output:
do not commit .env
hardcoded key in src/bad.py
⌘↵ runs the editor.
Booting Python…
Output
[promptdojo:~]$ _