Why Cursor Keeps Hardcoding Your API Keys (And How to Stop It)

TL;DR AI assistants trained on public repos reproduce hardcoded secrets because that's what they learned A pushed API key is effectively public even after deletion -- git history doesn't forget Add gitleaks as a pre-commit hook today -- five minutes, blocks the problem at the source I've been doing code reviews for teams that have fully switched to AI-assisted workflows. Cursor, Copilot, Claude Code -- all of them. And there's one pattern I keep seeing that doesn't get enough attention: hardcoded credentials. Not occasionally. Consistently. In nearly every AI-generated file that touches external services, the first draft drops a raw API key directly into the code. Sometimes it's in a comment. Sometimes it's a constant. Once I found it hardcoded into a URL string inside a fetch() call. This isn't a bug in the AI. It's working as designed. The models were trained on public code, and public code is full of this. StackOverflow answers from 2015, tutorial repos, quick prototypes that never