The svc.plus review password and the two bridge tokens were committed in
plaintext across the manual case / API test docs. Replace every value
with a `.env` / secret-store reference and add a tracked .env.example
template. Harden .gitignore (.env.*, *.local.env, secrets.env) while
keeping !.env.example.
Note: git history was rewritten separately to purge the leaked values;
the credentials must be rotated regardless.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
