new file mode 100644
index 0000000..e06d780
@@ -0,0 +1,25 @@
+---
+visibility: public-edit
+---
+
+# hardcoding secrets in code
+
+*(common gotcha)*
+
+## what happened
+
+you push API keys, passwords, or tokens to a public GitHub repo. bots scrape GitHub for exposed secrets. within minutes, your AWS bill is $5,000, your API key is being used for crypto mining, or your database is wiped.
+
+## why it's a gotcha
+
+it happens to everyone at least once. you're moving fast, you hardcode a key "just for testing," you forget to remove it, you push. even if you delete the commit, the secret is in the git history and can still be found. bots are scanning GitHub continuously — this is not a theoretical risk.
+
+## the fix
+
+use environment variables or a `.env` file (and add `.env` to `.gitignore`). use a secrets manager for anything production. if you accidentally push a secret, revoke and rotate it immediately — don't just delete the commit. tools like `git-secrets` or GitHub's built-in secret scanning can catch this before it happens.
+
+## see also
+
+- [[not-using-version-control]] — bad git habits compound this
+- [[discord-bot-ban]] — another way carelessness with platforms costs you
+- [[check-what-you-submit]] — verify what you're pushing
\ No newline at end of file