Vaultline is an x402-native storage service. Treat it as payment and storage infrastructure, not a demo toy.
The currently supported public surfaces are:
openstorage tierprivatewallet-gated storage tier- TypeScript SDK package:
@builtbyecho/vaultline-sdk
The encrypted tier is planned, but not live. Do not rely on it for confidentiality.
Never commit or share production secrets, including:
R2_ACCESS_KEY_IDR2_SECRET_ACCESS_KEYCDP_API_KEY_IDCDP_API_KEY_SECRET- wallet private keys / mnemonics
- deployment
.envfiles
Production and local runtime must provide X402_TREASURY_WALLET. Do not hardcode treasury addresses in source.
X402_TEST_PAYTO is test-only for /v1/test/paid-ping. It must never control production file-route payouts.
Please report security issues privately to the maintainers before public disclosure. Do not open a public GitHub issue containing exploit details, secrets, or live abuse paths.
Useful report details:
- affected route/package/version
- reproduction steps
- expected vs actual behavior
- whether funds, private files, or credentials could be exposed
- Rotate any credentials that were pasted into chats, logs, screenshots, or CI output.
- Keep
.envfiles out of git and deployment logs. - Confirm R2 bucket is private and accessible only via scoped service credentials.
- Confirm CDP/x402 credentials are scoped and rotated on suspicion.
- Run the test suite and deployed smoke tests against the production URL.
- Enable host-level rate limiting and log rotation on the deployed API.
- Set
REQUEST_BODY_LIMITdeliberately for production traffic. - Set
CORS_ORIGINSdeliberately if browser clients should be restricted.