| # Production Notes | |
| ## Secrets | |
| Real API keys must never be committed to GitHub. | |
| Use: | |
| - .env locally | |
| - Hugging Face Secrets for Spaces | |
| - Cloud secret managers in production | |
| ## Generated Files | |
| Do not commit: | |
| - vector_db/ | |
| - outputs/ | |
| - logs/ | |
| - .env | |
| ## Monitoring | |
| A production RAG app should log: | |
| - user question | |
| - model name | |
| - prompt version | |
| - retrieved source chunks | |
| - latency | |
| - error type | |
| - token usage if available | |
| ## Safety | |
| The model should answer only from retrieved context unless explicitly configured otherwise. | |
| ## Evaluation | |
| Maintain test questions with expected answers and expected sources. |