Secrets Management
All secrets are stored in AWS SSM Parameter Store and never committed to git.
Generating .env Files
Section titled “Generating .env Files”./scripts/generate-env.sh > backend/.envThis pulls all parameters from SSM and formats them as environment variables.
Key Parameters
Section titled “Key Parameters”| Parameter | Purpose |
|---|---|
OPENAI_API_KEY | GPT-4o-mini and embeddings |
ANTHROPIC_API_KEY | Claude Sonnet (premium tier) |
DATABASE_URL | PostgreSQL connection string |
AUTH_SECRET | Better-Auth signing secret |
AWS_ACCESS_KEY_ID | S3 access for meal images |
Security Rules
Section titled “Security Rules”- Never expose API keys — environment variables only
- Never expose
str(e)to users — log server-side, return generic messages - Always use parameterized SQL (SQLAlchemy ORM)
- Always validate JWT tokens