--- issue: 114 title: "Frontend: WalletConnect/Google client IDs hardcoded as Dockerfile ARG defaults" severity: low domain: Security labels: [frontend, configuration, ci-cd] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend: WalletConnect/Google client IDs hardcoded as Dockerfile ARG defaults **Severity:** low **Domain:** Security **Labels:** frontend, configuration, ci-cd ## Description `frontend/Dockerfile:14` has hardcoded default values for `NEXT_PUBLIC_WALLETCONNECT_PROJECT_ID` and `NEXT_PUBLIC_GOOGLE_CLIENT_ID` in `ARG` defaults. Forks or copies of this repo will silently use production IDs without being aware. ## Options 1. Remove defaults; require build-args/CI to supply them. 2. Keep defaults since values are public-by-design but document them. 3. Move to runtime env only. ## Recommendation Remove the baked defaults and supply via CI build-args to avoid forks reusing prod IDs. These values are public but should be explicit. ## Affected Files - `frontend/Dockerfile:14` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-74