[WIP] Remove exposed Supabase credentials and update documentation

[Copilot]

Security Fix: Remove Exposed Supabase Credentials

Plan:

• Remove .env file from Git tracking (keep the file locally but stop tracking it)
• Verify .gitignore properly excludes environment files
• Create SECURITY.md with security best practices and vulnerability reporting
• Update README.md with prominent security warning about credential rotation
• Create SETUP.md with detailed development environment setup instructions
• Verify all changes and ensure no sensitive data remains in working directory

Critical Note:

The exposed Supabase credentials in the Git history will remain accessible until the repository owner rotates them. This PR only prevents future commits of sensitive data.

Original prompt

Security Issue: Exposed Supabase Credentials

Critical Problems Found:

1. The .env file containing real Supabase credentials is committed to the repository
2. These credentials are exposed in the Git history
3. The .env file needs to be removed from version control

Required Actions:

1. Remove .env file from Git history

• The .env file at the root contains sensitive Supabase credentials that must be removed
• This file should never be tracked in version control
• Remove it completely from the repository

2. Update .gitignore

Ensure .gitignore includes:

.env
.env.local
.env.*.local
*.env

3. Create Security Documentation

Create a SECURITY.md file with:

• Security best practices for the project
• Instructions for reporting security vulnerabilities
• Contact information for security issues
• Reminder about never committing .env files

4. Update README.md

Add a prominent security notice in the README about:

• The importance of rotating credentials after cloning
• Never committing .env files
• Using .env.example as a template

5. Add Development Setup Documentation

Update or create documentation that explains:

• How to set up local development environment
• How to obtain and configure Supabase credentials
• Proper environment variable management

Important Notes:

• The .env.example file should remain (it only has placeholders)
• After this PR is merged, the repository owner MUST rotate all Supabase credentials shown in the commit history
• The exposed credentials in Git history will still be accessible unless the repository is recreated or history is rewritten using tools like BFG Repo-Cleaner

Files to Modify/Create:

• Delete: .env
• Update: .gitignore (ensure .env is included)
• Create: SECURITY.md
• Update: README.md (add security warning)
• Optional: Create SETUP.md for development setup instructions

This pull request was created as a result of the following prompt from Copilot chat.

Security Issue: Exposed Supabase Credentials

Critical Problems Found:

1. The .env file containing real Supabase credentials is committed to the repository
2. These credentials are exposed in the Git history
3. The .env file needs to be removed from version control

Required Actions:

1. Remove .env file from Git history

• The .env file at the root contains sensitive Supabase credentials that must be removed
• This file should never be tracked in version control
• Remove it completely from the repository

2. Update .gitignore

Ensure .gitignore includes:

.env
.env.local
.env.*.local
*.env

3. Create Security Documentation

Create a SECURITY.md file with:

• Security best practices for the project
• Instructions for reporting security vulnerabilities
• Contact information for security issues
• Reminder about never committing .env files

4. Update README.md

Add a prominent security notice in the README about:

• The importance of rotating credentials after cloning
• Never committing .env files
• Using .env.example as a template

5. Add Development Setup Documentation

Update or create documentation that explains:

• How to set up local development environment
• How to obtain and configure Supabase credentials
• Proper environment variable management

Important Notes:

• The .env.example file should remain (it only has placeholders)
• After this PR is merged, the repository owner MUST rotate all Supabase credentials shown in the commit history
• The exposed credentials in Git history will still be accessible unless the repository is recreated or history is rewritten using tools like BFG Repo-Cleaner

Files to Modify/Create:

• Delete: .env
• Update: .gitignore (ensure .env is included)
• Create: SECURITY.md
• Update: README.md (add security warning)
• Optional: Create SETUP.md for development setup instructions

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[netlify]

✅ Deploy Preview for shipperpp ready!

Name	Link
🔨 Latest commit	562c502
🔍 Latest deploy log	https://app.netlify.com/projects/shipperpp/deploys/6930669b73953a0008404ded
😎 Deploy Preview	https://deploy-preview-1--shipperpp.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.