This repository is a deployment template and research tool. It should never contain real secrets.
Please do not open a public issue for vulnerabilities involving:
- leaked private keys or API credentials
- order execution bypasses
- dashboard authentication bypasses
- unsafe defaults that could place live orders unexpectedly
- cloud deployment credential exposure
Use GitHub private vulnerability reporting if enabled for the repository. If it is not enabled, contact the repository maintainer through the safest private channel listed on the project profile.
Never commit:
.env- private keys
- CLOB API credentials
- dashboard passwords
- RPC URLs with embedded credentials
- cloud service account JSON
Run the included secret scan locally when in doubt:
docker run --rm -v "$PWD:/repo" zricethezav/gitleaks:latest detect --source /repoLive execution should require:
- dry-run variables intentionally disabled
TRADING_ENABLED=TRUE- the relevant strategy switch set to
TRUE - reviewed order size and loss limits
- monitored logs and dashboard state
Any code path that places orders without those gates should be treated as a security issue.