The two scenarios you'll see most often:

1. Entra portal → app reg → Certificates & secrets → delete the leaked secret.
2. Create a new one.
3. Update wherever it was used (Copilot Studio, Key Vault, etc.).
4. Audit recent token issuance if the secret was exposed for >a few minutes.

1. Copilot Studio → Settings → Channels → Direct Line → regenerate the secret.
2. Update token broker (or wherever it's stored server-side).

• .env, .env.local are gitignored (see .gitignore).
• The WebChat bundle never reads anything but VITE_* env vars (build-time, baked into JS) — no secrets get into the bundle by accident.
• staticwebapp.config.json sets a strict CSP that blocks unexpected origins.
• GitHub Actions secrets are scoped to the repo and never echoed in logs.

When configuring Manual Entra auth on Copilot Studio, choose "Microsoft Entra ID V2 with federated credentials" if it appears as an option. This avoids client secrets entirely and means there's no secret to rotate or leak.

See docs/BUILD-GUIDE.md §7 for the federated credential setup.

This is a personal experimental project. If you find an issue, open a GitHub issue or email the repo owner directly. There's no SLA — this is not production.