diff --git a/replit.md b/replit.md
index b9b3c8ab..3875523b 100644
--- a/replit.md
+++ b/replit.md
@@ -227,6 +227,8 @@ Preferred communication style: Simple, everyday language.
 - `VITE_NOVU_APPLICATION_IDENTIFIER`: Novu app ID
 - `VITE_NOVU_SOCKET_URL`: Novu WebSocket endpoint
 - `VITE_NOVU_API_URL`: Novu API endpoint
+- `VITE_CLOUDFLARE_ACCOUNT_HASH`: Cloudflare Images account hash for image URL construction
+- `VITE_SUPABASE_URL`: Supabase project URL
 - Supabase credentials (injected by hosting platform)
 - Cloudflare Images API credentials (stored in Supabase secrets)
 
@@ -234,4 +236,20 @@ Preferred communication style: Simple, everyday language.
 - Theme persistence via localStorage
 - Unit preferences (metric/imperial)
 - Auto-detection for location-based settings
-- Notification channel preferences
\ No newline at end of file
+- Notification channel preferences
+
+## Recent Changes
+
+### Security Fixes (October 7, 2025)
+
+**Environment Variable Migration:**
+- Moved hardcoded Cloudflare account hash to `VITE_CLOUDFLARE_ACCOUNT_HASH` environment variable
+- Updated 14 components to use environment variable instead of hardcoded values:
+  - Card components: ParkCard, RideCard, ManufacturerCard, OperatorCard, ParkOwnerCard, RideModelCard
+  - Detail pages: ParkDetail, RideDetail, ManufacturerDetail, OperatorDetail, PropertyOwnerDetail, DesignerDetail
+  - Upload component: PhotoUpload (now uses env var for Supabase URL)
+- Verified zero hardcoded sensitive values remain in codebase
+
+**Import Fixes:**
+- Fixed sonner.tsx to import `useTheme` from local `@/components/theme/ThemeProvider` instead of incorrect `next-themes` package
+- Ensures proper theme functionality without external dependency issues
\ No newline at end of file