This document outlines security best practices for the CronosAI project to prevent accidental exposure of sensitive information.
- β Commit
.envfiles with real API keys or private keys - β Hardcode secrets in source code
- β Use example values that look realistic (e.g.,
0x...for addresses) - β Share private keys or API keys through any non-secure channel
- β Reuse private keys across multiple services or projects
- β
Use
.env.exampleas a template for required variables - β
Create a local
.envfile (automatically ignored by git) - β
Use
.env.localfor environment-specific configurations - β Rotate API keys regularly
- β Use separate wallets for different purposes (recipient vs. service)
- β Keep API keys and private keys in secure vaults in production
The following files/patterns are protected and will NOT be committed to GitHub:
.env # Main environment file
.env.local # Local overrides
.env.*.local # Environment-specific local files
.env.production.local # Production local config
node_modules/ # Dependencies
dist/ # Build artifacts
.claude/settings.local.json # Local Claude settings
*.pem, *.key, *.pfx, *.p12 # Certificate/key files
- Format:
sk-ant-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - Get from: https://console.anthropic.com/
- Keep separate for development, staging, and production
- Rotate keys periodically
- Get from: https://cronoscan.com/apis
- Used for querying blockchain data
- Keep separate from other project keys
- Monitor usage for suspicious activity
- NEVER hardcode private keys in source code
- NEVER commit private keys to version control
- Use secure key management systems in production
- Consider using Hardware Security Modules (HSM) for production keys
- Rotate service wallets if compromised
- Should be a dedicated wallet for this service only
- Should NOT contain the service's private key
- Used for monitoring incoming x402 payments
- Address is non-sensitive (can be in
.env.example)
- Contains the private key for signing transactions
- NEVER share or expose the private key
- Should have minimal funds needed for gas fees
- Different from the recipient wallet
- Used only when queries require signing
- Use Environment Variables: Deploy secrets via secure environment configuration
- Use Secrets Management: Use services like:
- AWS Secrets Manager
- Azure Key Vault
- HashiCorp Vault
- GitHub Secrets (for CI/CD)
- Audit Access: Log and monitor who accesses secrets
- Rotate Regularly: Establish a schedule for rotating secrets
- Limit Scope: Grant minimal necessary permissions
- Use Service Accounts: Separate accounts for different services
Run these checks before pushing to GitHub:
# Check for accidentally staged secrets
git diff --cached | grep -E "sk-|0x[a-fA-F0-9]{40,}|PRIVATE_KEY|private_key"
# Verify .env is ignored
git check-ignore .env
# View what will be committed
git ls-files --others --exclude-standard- IMMEDIATELY rotate the exposed key/secret
- Remove from git history:
git filter-branch --force --index-filter \ 'git rm --cached --ignore-unmatch .env' \ --prune-empty --tag-name-filter cat -- --all git push --force --all git push --force --tags - Notify the team
- Review git logs for any other exposed secrets
Consider using these tools to prevent accidental commits:
- git-secrets: https://github.com/awslabs/git-secrets
- pre-commit hooks: https://pre-commit.com/
- TruffleHog: https://github.com/truffleHog/truffleHog
Example .git/hooks/pre-commit:
#!/bin/bash
git diff --cached | grep -E "sk-|PRIVATE|SECRET|API_KEY" && \
echo "ERROR: Secrets detected in staged changes!" && exit 1
exit 0- Never document actual secrets in README or other docs
- Use placeholder values with
<>or<YOUR_VALUE>format - Link to official documentation for obtaining secrets
If you discover a security vulnerability or have concerns about exposed secrets:
- Do not make it public
- Rotate the affected credentials immediately
- Contact the security team
- Document the incident
Last Updated: January 10, 2026 Security Level: π΄ CRITICAL