> ## Documentation Index
> Fetch the complete documentation index at: https://docs.signalarc.fun/llms.txt
> Use this file to discover all available pages before exploring further.

# SECURITY AND SECRETS

# Security and Secrets

SignalArc must keep secrets out of source control and out of public documentation. This repository currently documents local/testnet prototype behavior only and does not claim production custody, production settlement, audit completion, or compliance approval.

## Never Commit

* `.env`
* `.env.local`
* Private keys
* Seed phrases
* Circle API keys
* Blockscout API keys
* WalletConnect project IDs when project policy keeps them local or deployment-only
* Production database credentials
* RPC secrets
* Local database files
* `node_modules`
* `.next`
* `out`
* `dist`

## NEXT\_PUBLIC Variables

`NEXT_PUBLIC_*` variables are exposed to browser JavaScript.

Safe examples:

* Public API base URL.
* WalletConnect project ID when intended for browser use and configured through deployment settings.

Never put secrets in `NEXT_PUBLIC_*`, including private keys, Circle API keys, database URLs, RPC secrets, or server-only credentials.

## Backend Secrets

Local development database values may appear in Docker Compose for the local database. Production secrets must be configured outside source control through the deployment platform or a secret manager.

Backend production secrets must not be written to Markdown files, committed examples, logs, frontend code, or generated artifacts.

## Wallet Model

* External wallets sign user transactions in the browser.
* Backend must not sign user transactions.
* No private key belongs in frontend or backend source code.
* Circle embedded wallet is not implemented.
* Circle SDK/API integration is not implemented in the current repository.

## Smart Contract Status

* Current contract is an Arc Testnet prototype.
* It is unaudited.
* It is not production custody.
* It is not production settlement.
* It does not prove mainnet readiness.

## Circle

* Circle API keys must never be placed in frontend code.
* Circle API keys must never be placed in public docs.
* Circle SDK/API integration is not implemented unless explicitly added in a future change.
* Circle behavior that is not implemented or not documented by official Circle sources is unknown / not documented.

## Deployment

* DNS/live deployment is not approved or completed yet.
* Production environment variables must be configured outside source control.
* CORS must be reviewed before production deployment.
* Production database credentials must use deployment secret management.
