Secrets & hosting
Never commit DISCORD_BOT_TOKEN, database URLs, or BOT_INTERNAL_SECRET to public repositories. Rotate credentials if a staff member leaves or a log leaks.
Least privilege
Grant Knife only the permissions each feature needs. Over-powered bot roles make abuse more damaging if an account is compromised. Audit who can configure jails, webhooks, and broadcast-style commands.