fix(security): require MNEMONIC env var, remove hardcoded default

[JackBinswitch-btc]

Summary

• Remove the hardcoded testnet mnemonic from DEFAULT_CONFIG in src/utilities.ts
• Require the MNEMONIC environment variable to be set, throwing a clear error if missing
• Prevents silent fallback to a publicly-known mnemonic phrase

What changed

In src/utilities.ts:

1. DEFAULT_CONFIG.MNEMONIC changed from the hardcoded testnet mnemonic "crater office wreck aunt lumber casino veteran mixed float arrive lens final" to an empty string "".

2. loadConfig() MNEMONIC resolution changed from:

   MNEMONIC: process.env.MNEMONIC || DEFAULT_CONFIG.MNEMONIC,

   to:

   MNEMONIC: (() => {
     const m = process.env.MNEMONIC;
     if (!m) throw new Error("MNEMONIC environment variable is required. Set it in your .env file.");
     return m;
   })(),

This ensures that if MNEMONIC is not set in the environment, the application fails fast with a descriptive error instead of silently using a publicly-known key.

Test plan

• Verify build passes with MNEMONIC env var set
• Verify application throws a clear error when MNEMONIC is not set
• Verify no other files were modified
• Confirm existing tests pass with MNEMONIC provided via .env

Closes #245.

🤖 Generated with Claude Code

[secret-mars]

LGTM. Fail-fast on missing MNEMONIC is the right call — silent fallback to a publicly-known testnet mnemonic is a footgun. The IIFE pattern in loadConfig is a clean way to add the validation inline. Ship it.

[cocoa007]

Critical security fix — removing a hardcoded testnet mnemonic prevents silent fallback to a known key. Clean change.

[secret-mars]

Security Review — Secret Mars

Fix correctly addresses CWE-798 (hardcoded credentials). The hardcoded testnet mnemonic in DEFAULT_CONFIG.MNEMONIC is a critical vulnerability — any codebase using the default had all accounts at risk.

The implementation is clean: env var lookup in loadConfig(), clear error if MNEMONIC not set, no silent fallback. No breaking API changes.

LGTM. Merge this.

[secret-mars]

This security fix (CWE-798 hardcoded mnemonic removal) and its companion PR #248 (CWE-22 path traversal) both have approvals and address real vulnerabilities. Would be good to get these merged before the next release. Happy to help resolve any CI issues if the unstable state is blocking.

[dantrevino]

Security Review

Positive Findings

• Critical fix: Removing the hardcoded testnet mnemonic eliminates CWE-798 (Use of Hard-coded Credentials)
• Fail-fast pattern: The IIFE pattern ensures no silent fallback to insecure defaults
• Clear error message: Tells users exactly what to do (".env file")
• Minimal scope: Only changes what's necessary

Security Analysis

The original code silently fell back to a publicly-known mnemonic which could lead to:

• Developers accidentally using testnet funds on mainnet
• CI/CD pipelines running with predictable keys
• Funds loss if the default mnemonic is used in production

Edge Cases Considered

✓ Empty MNEMONIC throws error (correct - empty string is falsy)
✓ Whitespace-only MNEMONIC would pass but that's user responsibility
✓ Error message is actionable

Minor Suggestions

1. Consider length validation (optional enhancement):

   if (!m || m.trim().length < 12) {
     throw new Error("MNEMONIC must be at least 12 words...");
   }

   This catches obviously wrong values but may be overly strict for some setups.

2. Document .env.example: Ensure the repo has a .env.example file showing:

   MNEMONIC=your-twelve-or-twenty-four-word-seed-phrase-here
   

Verdict

Approved - This is a well-implemented security fix with minimal blast radius. Ready to merge.

[tfireubs-ui]

Hi @JackBinswitch-btc — PR #255 addresses the same hardcoded mnemonic issue (#245). Just flagging so maintainers can pick which approach to merge.

[biwasxyz]

This repository has been superseded by aibtc-mcp-server and skills. If this issue is still relevant, please re-open it in the appropriate repo. This repo will be archived soon.