Privy JWT Private Key Committed to Repository in `.env.ci`

The CI environment file contains a full PEM-encoded ECDSA private key (LOCAL_PRIVY_JWT_PRIVATE_KEY) used to sign Privy JWTs. This is a separate finding from the wallet keys above because JWT signing keys carry a distinct threat: possession of this key allows an attacker to potentially mint valid JWTs that impersonate any wallet address, bypassing all API authentication. The corresponding public key is also committed as LOCAL_PRIVY_JWT_PUBLIC_KEY.

This is a finding just to acknowledge their presence, independently of the usage which is why it is labeled as INFO.

Ability to forge authentication tokens for any wallet address, granting full API access as any user without legitimate credentials.

Immediately rotate the exposed ECDSA key pair and re-issue any dependent credentials.

Verify that LOCAL_PRIVY_JWT_PUBLIC_KEY is not registered or trusted in any live environment.

Fixed in PR #3748, the Privy JWT keypair was a leftover from a decommissioned integration with no live consumer, and was deleted outright (env files + env-var-name registry).