.env files in production.
The agent's private key grants full transaction authority. If the host server is compromised, the key can be extracted regardless of on-chain spending caps (the attacker can drain funds slowly under the daily limit, or perform malicious signatures).
For production deployments, upgrade from single-key auth to one of:
-
MPC (Multi-Party Computation) — Split the key across independent parties. No single server holds the full key. Providers: Lit Protocol, Fireblocks, Turnkey.
-
Off-chain Multisig Co-signer — Require a second service (e.g., a cloud function behind strict IAM) to co-sign every transaction before broadcasting. The co-signer validates payload structure and destination addresses.
-
HSM / Cloud Secrets Vault — Store the key in a Hardware Security Module (AWS KMS, GCP Cloud HSM) or a dynamic secrets manager (AWS Secrets Manager, GCP Secret Manager) with:
- Strict RBAC — only the agent runtime role can access
- Audit logging — every key access is recorded
- Automatic rotation — keys expire and rotate on schedule
For local development only, copy .env.example to .env:
cp .env.example .envThe .env file is gitignored. Never commit real keys.
This repo has TruffleHog secret scanning enabled on every push, PR, and weekly schedule ([.github/workflows/trufflehog.yml](.github/workflows/trufflehog.yml)).
If a secret is accidentally committed:
- Rotate the key immediately (the commit history is public)
- Rewrite git history with
git filter-branchorbfg - Force-push after confirming the key is revoked
Email: atlasnexus.ops@proton.me DO NOT open a public issue for security vulnerabilities.