Move all hardcoded secrets to .env and read via getenv()

- connection.php: untracked from git (was already in .gitignore but
  still being followed). Now loads .env at startup and reads DB/SMTP
  credentials via getenv() — no secrets in version control.

- client-brief.php: replace hardcoded HubSpot token, LOA_TOKEN_SECRET,
  and Google CLIENT_ID/API_KEY with getenv() / PHP injection into JS.

- google.php / g_letter.php: add PHP header so Google CLIENT_ID and
  API_KEY are injected server-side from .env rather than hardcoded.

- .gitignore: add oauth-credentials.json; fix typo cashe-list →
  cache-list.

The .env file holds all credentials and is gitignored. A GOOGLE_API_KEY
entry is now present in .env, resolving the client-secret-as-API-key bug.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitignore

@@ -1,7 +1,10 @@
 connection.php
 database.php
+oauth-credentials.json
 
 vendor/
 
 classes/cache/
-classes/cashe-list/
+classes/cache-list/
+
+.env

client-brief.php

@@ -16,7 +16,7 @@ if (session_status() !== PHP_SESSION_ACTIVE) session_start();
 if (empty($_SESSION['csrf'])) $_SESSION['csrf'] = bin2hex(random_bytes(16));
 $csrf = $_SESSION['csrf'];
 
-$accessToken = 'pat-na1-64db9489-15fe-461d-b64c-941c4d80ba8a';
+$accessToken = getenv('HUBSPOT_TOKEN') ?: '';
 
 #$enquiry_date = date("l dS M \'y");
 $drg = isset($_GET['drg']) ? $_GET['drg'] : '';
@@ -42,7 +42,7 @@ if (!defined('CONTRACTS_DIR')) define('CONTRACTS_DIR', SITE_ROOT . '/contracts/c
 // ===== LOA config (must match contracts-admin/loa.php) =====
 if (!defined('LOA_DIR')) define('LOA_DIR', SITE_ROOT . '/contracts/loa');
 if (!defined('LOA_BASE_URL')) define('LOA_BASE_URL', 'https://modulosdesign.com.au/contracts'); // where loa.php lives
-if (!defined('LOA_TOKEN_SECRET')) define('LOA_TOKEN_SECRET', 'd1Epy6ryzgLYjLEBlpiHFrgST8JbAjgksjj3hIO5zCK5DChqYpWUdr8jeWR7xEgd'); // same as loa.php
+if (!defined('LOA_TOKEN_SECRET')) define('LOA_TOKEN_SECRET', getenv('LOA_TOKEN_SECRET') ?: '');
 
 
 if (!function_exists('json_response')) {
@@ -1814,9 +1814,9 @@ Preview above. Copy the HTML if you paste into an HTML-capable composer such as
                     e.preventDefault();
                     handleSignoutClick();
                 });
-                // Google API creds
-                var CLIENT_ID = '615226084553-ujv34r7f62a4p6hvupq7v6rnnt04h59v.apps.googleusercontent.com';
-                var API_KEY = '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';
+                // Google API creds — values injected server-side from .env
+                var CLIENT_ID = '<?= htmlspecialchars(getenv('GOOGLE_CLIENT_ID') ?: '', ENT_QUOTES, 'UTF-8') ?>';
+                var API_KEY   = '<?= htmlspecialchars(getenv('GOOGLE_API_KEY')   ?: '', ENT_QUOTES, 'UTF-8') ?>';
                 const DISCOVERY_DOC = 'https://www.googleapis.com/discovery/v1/apis/drive/v3/rest';
                 var SCOPES = 'https://www.googleapis.com/auth/drive';
 

connection.php

@@ -1,46 +0,0 @@
-<?php
-/* 
- * Bison Constructions Site Managment System
- * Benjamin Harris, last updated 20/12/2021
- * https://sms.bisonconstructions.com.au
-*/
-date_default_timezone_set("Australia/Hobart");
-
-$today = date("Y-m-d");
-$datetime = date("D dS M y  @  h:i a");
-
-//error_reporting(E_ALL);
-//ini_set('display_errors', 1);
-error_reporting(E_ERROR | E_PARSE);
-
-use PHPMailer\PHPMailer\PHPMailer;
-use PHPMailer\PHPMailer\SMTP;
-use PHPMailer\PHPMailer\Exception;
-require 'phpmailer/src/Exception.php';
-require 'phpmailer/src/PHPMailer.php';
-require 'phpmailer/src/SMTP.php';
-
-$mail = new PHPMailer(true);
-$mail->SMTPDebug = SMTP::DEBUG_OFF;
-$mail->isSMTP();
-$mail->Host = 'mail.tazz.com.au';
-$mail->SMTPAuth = true;
-$mail->Username = 'itadmin@tazz.com.au';
-$mail->Password = '426p&HmQaG;u';
-$mail->SMTPSecure = 'tls';
-$mail->Port = 587;
-$mail->isHTML(true);
-
-    //Database Connection
-    $hostname = "localhost";
-    $database = "client_jobs";
-    $username = "modulosdesign";
-    $password = "RiznS5DzNgUMXnp";
-    $con = mysqli_connect($hostname, $username, $password, $database) or die(mysqli_error());
-
-    // Check connection
-    if (mysqli_connect_errno()) {
-        echo "Failed to connect to MySQL: " . mysqli_connect_error();
-    }
-
-?>

g_letter.php

@@ -1,3 +1,4 @@
+<?php require_once 'connection.php'; ?>
 <!DOCTYPE html>
 <html>
   <head>
@@ -19,9 +20,8 @@
       /* exported handleAuthClick */
       /* exported handleSignoutClick */
 
-      // TODO(developer): Set to client ID and API key from the Developer Console
-      const CLIENT_ID = '165389691568-f1mia3sfncb6tb7d18lm49nbr0qkkf4v.apps.googleusercontent.com';
-      const API_KEY = 'AIzaSyC0FbRt_34qIq_FW2UXxTbYftwIg9FsiW4';
+      const CLIENT_ID = '<?= htmlspecialchars(getenv('GOOGLE_CLIENT_ID') ?: '', ENT_QUOTES, 'UTF-8') ?>';
+      const API_KEY   = '<?= htmlspecialchars(getenv('GOOGLE_API_KEY')   ?: '', ENT_QUOTES, 'UTF-8') ?>';
 
       // Discovery doc URL for APIs used by the quickstart
       const DISCOVERY_DOC = 'https://www.googleapis.com/discovery/v1/apis/drive/v3/rest';

google.php

@@ -1,3 +1,4 @@
+<?php require_once 'connection.php'; ?>
 <!DOCTYPE html>
 <html>
   <head>
@@ -19,9 +20,8 @@
       /* exported handleAuthClick */
       /* exported handleSignoutClick */
 
-      // TODO(developer): Set to client ID and API key from the Developer Console
-      const CLIENT_ID = '615226084553-ujv34r7f62a4p6hvupq7v6rnnt04h59v.apps.googleusercontent.com';
-      const API_KEY = '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';
+      const CLIENT_ID = '<?= htmlspecialchars(getenv('GOOGLE_CLIENT_ID') ?: '', ENT_QUOTES, 'UTF-8') ?>';
+      const API_KEY   = '<?= htmlspecialchars(getenv('GOOGLE_API_KEY')   ?: '', ENT_QUOTES, 'UTF-8') ?>';
 
       // Discovery doc URL for APIs used by the quickstart
       const DISCOVERY_DOC = 'https://www.googleapis.com/discovery/v1/apis/drive/v3/rest';