[SECURITY] S1 — Hardcoded Vault token in main.py:18 #10
Description
Summary
Hardcoded Vault token 'trading-bot-token' found in main.py line 18.
Risk
HIGH — Anyone with code access gets direct Vault access and can read all secrets (API keys, DB passwords, etc.)
Location
# main.py:18
vault_token = 'trading-bot-token'Fix
vault_token = os.environ.get('VAULT_TOKEN')
if not vault_token:
raise RuntimeError('VAULT_TOKEN environment variable not set')Sprint
Sprint 1 — Story 1.2 (Security Hardening)
Found by PM agent audit — Feb 17, 2026