# Production Notes ## Secrets Real API keys must never be committed to GitHub. Use: - .env locally - Hugging Face Secrets for Spaces - Cloud secret managers in production ## Generated Files Do not commit: - vector_db/ - outputs/ - logs/ - .env ## Monitoring A production RAG app should log: - user question - model name - prompt version - retrieved source chunks - latency - error type - token usage if available ## Safety The model should answer only from retrieved context unless explicitly configured otherwise. ## Evaluation Maintain test questions with expected answers and expected sources.