Problem
generateRemoteTestnetComposeFile in compose-generator.js embeds private keys directly into docker-compose.yaml as environment variables (e.g., ETHREX_DEPLOYER_L1_PRIVATE_KEY, ETHREX_BRIDGE_OWNER_PK).
This leaves secrets at rest on disk and easily retrievable via docker inspect or container logs.
Proposed Solution
- Use a separate
.env file with strict permissions (chmod 600) instead of inlining keys in the compose file
- Or use Docker secrets for sensitive values
- Consider remote secret manager integration for production deployments
Context
Raised in PR #44 code review: #44 (comment)
Files
crates/desktop-app/local-server/lib/compose-generator.js — generateRemoteTestnetComposeFile()
Problem
generateRemoteTestnetComposeFileincompose-generator.jsembeds private keys directly intodocker-compose.yamlas environment variables (e.g.,ETHREX_DEPLOYER_L1_PRIVATE_KEY,ETHREX_BRIDGE_OWNER_PK).This leaves secrets at rest on disk and easily retrievable via
docker inspector container logs.Proposed Solution
.envfile with strict permissions (chmod 600) instead of inlining keys in the compose fileContext
Raised in PR #44 code review: #44 (comment)
Files
crates/desktop-app/local-server/lib/compose-generator.js—generateRemoteTestnetComposeFile()