Plaintext Production Polymarket Builder API Key in Committed `.env.prod`
Polymarket Builder API key value committed in plaintext to .env.prod despite every other secret being correctly referenced by GCP Secret Manager. Accepted: per team, this is Polymarket's public builder code, not a credential, and was already removed as part of the V2 migration.
Description
Every other secret in .env.prod is correctly stored in GCP Secret Manager and referenced by resource name. A single entry is an exception, the actual secret value of the Polymarket Builder API key is committed directly in plaintext:
POLYMARKET_BUILDER_API_KEY=019d77cc-e374-7036-b843-185b5555df2e
This key controls Polymarket Builder API authentication and is a live production credential. Any party with repository read access can extract it without requiring GCP IAM access.
Impact
Unauthorized control of Bloom's production Polymarket Builder identity, enabling order placement, modification, or cancellation on live markets.
Recommendation
Immediately rotate the key 019d77cc-e374-7036-b843-185b5555df2e with Polymarket.
Move the secret to GCP Secret Manager as POLYMARKET_BUILDER_API_KEY_SECRET_NAME, consistent with every other production secret in the same file.
Resolution
Acknowledged by team and accepted by auditor, POLYMARKET_BUILDER_API_KEY is Polymarket's public builder code (not a credential), and was already removed from .env.prod as part of the V2 migration.
