Prevent bundling of .env and document secure handling of API keys

[Ishaan400]

This PR removes .env from being bundled into the app (by removing it from flutter.assets in pubspec.yaml), confirms that .env is listed in .gitignore, and adds a note to the README warning contributors not to commit API keys.

• pubspec.yaml updated
• README.md updated
• .gitignore already included .env (confirmed)

This helps reduce the risk of leaking secrets and improves onboarding for new contributors.

Summary by CodeRabbit

• Documentation

  • Added security guidance for managing API keys and environment variables, recommending .env.example usage and preventing .env commits through .gitignore.

• Chores

  • Updated configuration to exclude secret files from asset bundling.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation and configuration updates to improve security practices by preventing environment files from being committed to version control and bundled with application assets. Introduces guidance on using environment variables and CI/CD systems for secrets management.

Changes

Cohort / File(s)	Summary
Documentation & Configuration README.md, pubspec.yaml	README.md: Added note instructing developers not to commit .env file; recommends .env.example, adding .env to .gitignore, and using CI/environment variables for secrets. pubspec.yaml: Removed .env asset entry and replaced with comment emphasizing secrets should not be bundled in assets.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A secret's a secret, best kept out of sight,
No .env in commits—that's just not quite right!
Use .example instead, and CI's embrace,
Your tokens and keys find a much safer place. ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main changes: preventing .env bundling and documenting secure API key handling, which aligns with the actual modifications in pubspec.yaml and README.md.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 67b9681 and 6f14ca1.

📒 Files selected for processing (2)

• README.md
• pubspec.yaml

🔇 Additional comments (2)

pubspec.yaml (1)

58-58: Remove .env from assets is the correct security practice.

The app uses filesystem-based loading (await dotenv.load() in lib/main.dart), not asset-based loading. Removing .env from the assets list prevents bundling secrets into the compiled app without breaking functionality. The change is safe and recommended.

README.md (1)

44-48: Excellent security documentation!

The added warning clearly covers essential best practices: preventing accidental commits of secrets, using .env.example as a template, and leveraging CI/CD secret management for shared environments. The .env.example file with appropriate placeholders and .gitignore entry are already in place, supporting the documentation guidance perfectly.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}