| 1.1 | .env / .env.* is in .gitignore | 🔴 Critical | grep -n "\.env" .gitignore |
| 1.2 | No API keys, tokens, or passwords hardcoded in source | 🔴 Critical | grep -rn "sk-|sk_live|AKIA|ghp_|glpat-|xoxb-|Bearer [A-Za-z0-9]" --include="*.{ts,js,py,tsx,jsx}" . |
| 1.3 | No secrets in console.log, print(), or error responses | 🔴 Critical | grep -rn "console\.log.*key|console\.log.*secret|console\.log.*token|console\.log.*password" --include="*.{ts,js,tsx,jsx}" . |
| 1.4 | All keys loaded from environment variables or secret manager | 🔴 Critical | Manual review of config/init files |
| 1.5 | Frontend code does NOT contain server-side keys | 🔴 Critical | Check src/, public/, app/ for any process.env.SECRET_* usage that gets bundled client-side. In Next.js, only NEXT_PUBLIC_* vars reach the browser — everything else must stay server-side. |