fix(security): remove leaked API key and add gitleaks secret scanning

Replace hardcoded production API key and URL with YOUR_* placeholders
so the existing credential-detection guard falls back to dev mode.
Add gitleaks GitHub Action to scan every push to main and every PR
for secrets, with custom rules for RunAnywhere API keys, Railway URLs,
and Supabase credentials.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: sanchitmonga22

.github/workflows/secret-scan.yml

@@ -0,0 +1,35 @@
+name: Secret Scanning
+
+# =============================================================================
+# Gitleaks Secret Scanning Workflow
+#
+# Scans every push to main and every pull request for leaked secrets,
+# API keys, tokens, and internal URLs. Uses the project-level
+# .gitleaks.toml for RunAnywhere-specific patterns on top of gitleaks'
+# built-in detectors.
+# =============================================================================
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  secret-scan:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_CONFIG: .gitleaks.toml

.gitleaks.toml

@@ -0,0 +1,59 @@
+# =============================================================================
+# Gitleaks Configuration — RunAnywhere SDK Monorepo
+#
+# Custom rules supplement gitleaks' built-in detectors (AWS keys, JWTs, etc.).
+# These catch RunAnywhere-specific secrets and internal infrastructure URLs.
+# =============================================================================
+
+title = "RunAnywhere Secret Scanning"
+
+# -----------------------------------------------------------------------------
+# Custom Rules
+# -----------------------------------------------------------------------------
+
+[[rules]]
+id = "runanywhere-api-key"
+description = "RunAnywhere API key (runa_prod_*, runa_dev_*, runa_staging_*)"
+regex = '''runa_(prod|dev|staging)_[A-Za-z0-9_\-]{10,}'''
+keywords = ["runa_prod", "runa_dev", "runa_staging"]
+
+[[rules]]
+id = "railway-app-url"
+description = "Railway production/staging app URL"
+regex = '''https?://[a-zA-Z0-9\-]+\.up\.railway\.app'''
+keywords = ["railway.app"]
+
+[[rules]]
+id = "supabase-url"
+description = "Supabase project URL (non-placeholder)"
+regex = '''https://[a-z0-9]+\.supabase\.co'''
+keywords = ["supabase.co"]
+
+[[rules]]
+id = "supabase-anon-key"
+description = "Supabase anon/service key"
+regex = '''eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}'''
+keywords = ["eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"]
+
+# -----------------------------------------------------------------------------
+# Allowlists — paths and patterns that are safe to ignore
+# -----------------------------------------------------------------------------
+
+[allowlist]
+description = "Global allowlist"
+
+paths = [
+    '''\.gitleaks\.toml$''',
+    '''CLAUDE\.md$''',
+    '''\.cursor/plans/.*\.plan\.md$''',
+    '''thoughts/.*\.md$''',
+]
+
+regexTarget = "line"
+regexes = [
+    '''YOUR_PRODUCTION_API_KEY''',
+    '''YOUR_PRODUCTION_BASE_URL''',
+    '''YOUR_''',
+    '''placeholder''',
+    '''https://placeholder\.supabase\.co''',
+]

examples/android/RunAnywhereAI/app/src/main/java/com/runanywhere/runanywhereai/RunAnywhereApplication.kt

@@ -153,8 +153,8 @@ class RunAnywhereApplication : Application() {
             } else {
                 // PRODUCTION mode - requires API key and base URL
                 // Configure these via Settings screen or set environment variables
-                val apiKey = "REDACTED_API_KEY"
-                val baseURL = "https://REDACTED_URL"
+                val apiKey = "YOUR_PRODUCTION_API_KEY"
+                val baseURL = "YOUR_PRODUCTION_BASE_URL"
 
                 // Detect placeholder credentials and abort production initialization
                 if (apiKey.startsWith("YOUR_") || baseURL.startsWith("YOUR_")) {