security: remove hardcoded secret fallbacks and Railway URLs

.gitignore

@@ -44,3 +44,9 @@ slither-report.json
 
 # Local config
 .claude/settings.local*.json
+
+# Wallet files — NEVER commit
+.production-wallet-backup.json
+.production-wallet-backup.json.password
+.test-wallet.json
+.test_wallets.json

README.md

@@ -244,14 +244,14 @@ Use **PredictionMarketV2** for everything. V1 lacks a resolution mechanism.
 
 ## Deployment
 
-The backend runs on **Railway** at `proteus-production-6213.up.railway.app`, auto-deploying from `main`.
-
-| Service | Provider | Purpose |
-|---------|----------|---------|
-| Backend (gunicorn + Flask) | Railway | API, admin dashboard, marketing pages |
-| Redis | Railway | Caching, Celery broker, auth stores |
-| Postgres | Railway | Available but unused (chain-only mode) |
-| Smart contracts | BASE Sepolia | All market data on-chain |
+The backend auto-deploys from `main`.
+
+| Service | Purpose |
+|---------|---------|
+| Backend (gunicorn + Flask) | API, admin dashboard, marketing pages |
+| Redis | Caching, Celery broker, auth stores |
+| Postgres | Available but unused (chain-only mode) |
+| Smart contracts (BASE Sepolia) | All market data on-chain |
 
 ### Local Development
 

app.py

@@ -41,7 +41,7 @@ def create_app():
     app.wsgi_app = ProxyFix(app.wsgi_app, x_proto=1, x_host=1)
 
     # Set secret key for flash messages only (not for sessions)
-    app.secret_key = os.environ.get("SESSION_SECRET", "phase7-blockchain-only-flash-messages")
+    app.secret_key = os.environ["SESSION_SECRET"]
 
     # Load configuration
     # Phase 4: Use chain-only configuration

config.py

@@ -1,5 +1,5 @@
 import os
 from datetime import timedelta
 
 
 class Config:
@@ -18,9 +18,9 @@
     CELERY_RESULT_BACKEND = os.environ.get('CELERY_RESULT_BACKEND') or 'redis://localhost:6379/0'
 
     # Node configuration
-    NODE_OPERATOR_ID = os.environ.get('NODE_OPERATOR_ID') or 'default-node-001'
-    NODE_PRIVATE_KEY = os.environ.get('NODE_PRIVATE_KEY') or 'dev-private-key'
-    NODE_PUBLIC_KEY = os.environ.get('NODE_PUBLIC_KEY') or 'dev-public-key'
+    NODE_OPERATOR_ID = os.environ.get('NODE_OPERATOR_ID', 'default-node-001')
+    NODE_PRIVATE_KEY = os.environ.get('NODE_PRIVATE_KEY')
+    NODE_PUBLIC_KEY = os.environ.get('NODE_PUBLIC_KEY')
 
     # BASE Blockchain configuration
     BASE_RPC_URL = os.environ.get('BASE_RPC_URL') or 'https://mainnet.base.org'

docs/ARCHITECTURE.md

@@ -34,9 +34,9 @@ The novel piece is on-chain Levenshtein distance as a scoring function for predi
 └─────────────────────┬───────────────────────────────────┘
                       │
 ┌─────────────────────▼───────────────────────────────────┐
-│              Flask Backend (Railway)                      │
+│              Flask Backend                                │
 │  (gunicorn, API Routes, Wallet Auth, Redis Cache)        │
-│  proteus-production-6213.up.railway.app                  │
+│                                                          │
 └─────────────────────┬───────────────────────────────────┘
                       │
 ┌─────────────────────▼───────────────────────────────────┐

docs/ROADMAP.md

@@ -22,7 +22,7 @@ Validate that on-chain Levenshtein distance works as a prediction market scoring
 - [x] Structured logging, request tracing
 - [x] Railway deployment (gunicorn + Redis, auto-deploy from GitHub)
 
-**Result:** The primitive works. Smart contracts handle the full lifecycle. Levenshtein scoring resolves markets deterministically on-chain. Backend deployed on Railway at `proteus-production-6213.up.railway.app`.
+**Result:** The primitive works. Smart contracts handle the full lifecycle. Levenshtein scoring resolves markets deterministically on-chain.
 
 **Known tradeoffs (acceptable for prototype):**
 - PBKDF2 embedded wallet shim (not real CDP)

docs/archive/FIREBASE-SETUP-GUIDE.md

@@ -85,7 +85,6 @@ This guide documents the exact Firebase Console configuration required for email
 5. Under **Application restrictions**:
    - Select **HTTP referrers**
    - Add:
-     - `https://proteus-production-6213.up.railway.app/*`
      - `https://yourdomain.com/*`
 6. Under **API restrictions**:
    - Select **Restrict key**

services/embedded_wallet.py

@@ -331,7 +331,7 @@ def _generate_seed(self, identifier: str) -> bytes:
                 "PBKDF2 seed generation should not be called when CDP is configured. "
                 "Use CDP wallet creation instead."
             )
-        master_secret = os.environ.get('MASTER_WALLET_SECRET', 'default-secret-change-in-production')
+        master_secret = os.environ["MASTER_WALLET_SECRET"]
         combined = f"{master_secret}:{identifier}"
         # Legacy salt — do not change without migrating existing wallets
         return hashlib.pbkdf2_hmac('sha256', combined.encode(), b'clockchain', 100000)

services/firebase_auth.py

@@ -211,7 +211,7 @@ def _generate_temp_password(self, email: str) -> str:
         Generate a temporary password for the user
         This is used internally and not shared with the user
         """
-        secret = os.environ.get('SESSION_SECRET', 'default-secret')
+        secret = os.environ["SESSION_SECRET"]
         return hashlib.pbkdf2_hmac(
             'sha256',
             email.encode(),