Add security notice clarifying placeholder tokens in git history

- Clarified that 'actual_token_here' and similar strings are placeholders
- Added security best practices for handling real credentials
- Documented proper secrets management approach
- Added instructions for contributors about credential handling

This addresses any concerns about placeholder strings in git history while
emphasizing that no real credentials were ever exposed.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: wesellis

SECURITY_NOTICE.md

@@ -0,0 +1,29 @@
+# Security Notice
+
+## About Tokens in Git History
+
+This repository's git history contains placeholder tokens such as `"actual_token_here"` which are **NOT real tokens or credentials**. These are:
+
+- ✅ Placeholder strings for demonstration purposes
+- ✅ Fixed in later commits with proper authentication methods
+- ✅ Never contained actual API keys or secrets
+
+## Security Best Practices
+
+This project follows security best practices:
+
+1. **Environment Variables** - All real credentials should be stored in `.env` files (not committed)
+2. **Secrets Management** - Production deployments should use HashiCorp Vault or Azure Key Vault
+3. **JWT Authentication** - API uses proper JWT token authentication
+4. **Never Commit Secrets** - Real API keys, passwords, or tokens should never be committed
+
+## If You Fork This Repository
+
+1. Never add real credentials to any files
+2. Use environment variables for all sensitive data
+3. Add `.env` to your `.gitignore`
+4. Use proper secrets management in production
+
+## Reporting Security Issues
+
+If you discover a security vulnerability, please email wes@wesellis.com directly rather than creating a public issue.