Secret in Client Bundle

A secret in the client bundle means an API key, database password, or signing token got baked into JavaScript that ships to the browser. Every visitor can open devtools, find it in the Network or Sources tab, and use it. This is one of the top ways startups lose money on their AI/API provider bills overnight. AI assistants produce this bug because they don't always know which part of your app runs on the server versus the client. In Next.js, anything prefixed `NEXT_PUBLIC_` in your env is deliberately exposed to the browser — but AI sometimes adds that prefix to secrets to 'fix' a missing-env error without understanding what it does. In Vite, `VITE_` serves the same role. In create-react-app, everything is client unless you route through a backend. The fix: treat server code and client code as separate universes. Secrets live in server-only env vars (no `NEXT_PUBLIC_` prefix), get read from inside route handlers or server components, and never get passed as props to client components. Before shipping, grep your build output for a known secret — if it shows up, you have a leak. Our checklist flags this critical.