Summary
PR #248 review identified critical security issues — hardcoded secrets in docker-compose.sandbox.yml and insecure logging defaults that leak PII and crypto details.
Issues to Fix
Critical — Secret Externalization
-
Stripe webhook secret hardcoded (docker-compose.sandbox.yml:225)
APP_PSP_STRIPE_WEBHOOK_WEBHOOK_SECRET: "whsec_2103ca6a..." committed to source control
- Action: Replace with
${STRIPE_SANDBOX_WEBHOOK_SECRET}, rotate the leaked secret in Stripe dashboard, add to .env.sandbox
-
EVM private key hardcoded (docker-compose.sandbox.yml:260)
APP_CUSTODY_DEV_EVM_PRIVATE_KEY: "4b59e111..." committed to source control
- Action: Replace with
${CUSTODY_DEV_EVM_PRIVATE_KEY}, generate new sandbox wallet, fund it, invalidate old key, add to .env.sandbox
-
Create .env.sandbox.template with placeholder values (committed) and .env.sandbox (gitignored) for actual secrets
Major — Logging Security
-
External API logging enabled by default (docker-compose.sandbox.yml — 7 occurrences)
APP_EXTERNAL_API_LOGGING_ENABLED: "true" logs full request/response payloads including PII and provider API keys
- Action: Default to
"false", enable only per-service for targeted debugging
-
Crypto stack trace logging (GlobalExceptionHandler.java:65)
log.error("Custody signing error: {}", ex.getMessage(), ex) logs full stack from JWT signing / crypto operations
- Action: Remove throwable parameter — log only
ex.getMessage(), no stack trace for signing path
Acceptance Criteria
References
Summary
PR #248 review identified critical security issues — hardcoded secrets in
docker-compose.sandbox.ymland insecure logging defaults that leak PII and crypto details.Issues to Fix
Critical — Secret Externalization
Stripe webhook secret hardcoded (
docker-compose.sandbox.yml:225)APP_PSP_STRIPE_WEBHOOK_WEBHOOK_SECRET: "whsec_2103ca6a..."committed to source control${STRIPE_SANDBOX_WEBHOOK_SECRET}, rotate the leaked secret in Stripe dashboard, add to.env.sandboxEVM private key hardcoded (
docker-compose.sandbox.yml:260)APP_CUSTODY_DEV_EVM_PRIVATE_KEY: "4b59e111..."committed to source control${CUSTODY_DEV_EVM_PRIVATE_KEY}, generate new sandbox wallet, fund it, invalidate old key, add to.env.sandboxCreate
.env.sandbox.templatewith placeholder values (committed) and.env.sandbox(gitignored) for actual secretsMajor — Logging Security
External API logging enabled by default (
docker-compose.sandbox.yml— 7 occurrences)APP_EXTERNAL_API_LOGGING_ENABLED: "true"logs full request/response payloads including PII and provider API keys"false", enable only per-service for targeted debuggingCrypto stack trace logging (
GlobalExceptionHandler.java:65)log.error("Custody signing error: {}", ex.getMessage(), ex)logs full stack from JWT signing / crypto operationsex.getMessage(), no stack trace for signing pathAcceptance Criteria
.env.sandbox.templatecommitted with placeholder values.env.sandboxin.gitignorefalseCustodySigningExceptionhandler logs message only, no stack traceReferences