From 5d666cf3c3ec687eba45f9adf97fe05e719bebd7 Mon Sep 17 00:00:00 2001
From: Penzlik <schoolkam@gmail.com>
Date: Fri, 1 May 2026 20:05:58 +0300
Subject: [PATCH 1/3] fix: add security warning for raw PRIVATE_KEY usage in
 launch-token guide

The launch-token guide used vm.envUint("PRIVATE_KEY") without any
security warning, while the deploy-smart-contracts guide explicitly
recommends cast wallet import (keystore) as the safer approach.

Added a Warning callout before the .env configuration block to:
- Alert developers that raw PRIVATE_KEY in .env is for local/testing only
- Recommend cast wallet import for production deployments
- Link to the deploy-smart-contracts guide for the secure approach

Fixes #1357
---
 docs/get-started/launch-token.mdx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/get-started/launch-token.mdx b/docs/get-started/launch-token.mdx
index bcccc57a8..7b9ddc7d7 100644
--- a/docs/get-started/launch-token.mdx
+++ b/docs/get-started/launch-token.mdx
@@ -245,6 +245,10 @@ contract DeployToken is Script {
 
 ### Environment Configuration
 
+<Warning>
+Never commit your `.env` file or share your `PRIVATE_KEY`. The raw private key approach shown below is intended for **local development and testing only**. For production deployments, use the more secure keystore method with `cast wallet import deployer --interactive` as described in the [Deploy Smart Contracts guide](https://docs.base.org/get-started/deploy-smart-contracts).
+</Warning>
+
 Create a `.env` file with your configuration:
 
 ```bash .env

From 4aea646fed9ec4690f9737332f14d502b48368e7 Mon Sep 17 00:00:00 2001
From: Penzlik <schoolkam@gmail.com>
Date: Sat, 2 May 2026 20:46:51 +0300
Subject: [PATCH 2/3] Update warning about .env file and PRIVATE_KEY

Added a reminder to include '.env' in .gitignore to prevent accidental key commits.
---
 docs/get-started/launch-token.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/get-started/launch-token.mdx b/docs/get-started/launch-token.mdx
index 7b9ddc7d7..41495e894 100644
--- a/docs/get-started/launch-token.mdx
+++ b/docs/get-started/launch-token.mdx
@@ -246,7 +246,7 @@ contract DeployToken is Script {
 ### Environment Configuration
 
 <Warning>
-Never commit your `.env` file or share your `PRIVATE_KEY`. The raw private key approach shown below is intended for **local development and testing only**. For production deployments, use the more secure keystore method with `cast wallet import deployer --interactive` as described in the [Deploy Smart Contracts guide](https://docs.base.org/get-started/deploy-smart-contracts).
+Never commit your `.env` file or share your `PRIVATE_KEY`. Always add `.env` to your `.gitignore` to prevent accidental key commits. The raw private key approach shown below is intended for **local development and testing only**. For production deployments, use the more secure keystore method with `cast wallet import deployer --interactive` as described in the [Deploy Smart Contracts guide](https://docs.base.org/get-started/deploy-smart-contracts).
 </Warning>
 
 Create a `.env` file with your configuration:

From 0da74b825eef95f0f9dec73eeda7d86690ae7150 Mon Sep 17 00:00:00 2001
From: Penzlik <schoolkam@gmail.com>
Date: Thu, 14 May 2026 13:38:06 +0300
Subject: [PATCH 3/3] docs: add security warning for PRIVATE_KEY in .env (fixes
 #1357)

---
 docs/get-started/launch-token.mdx | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/docs/get-started/launch-token.mdx b/docs/get-started/launch-token.mdx
index 41495e894..552979a5e 100644
--- a/docs/get-started/launch-token.mdx
+++ b/docs/get-started/launch-token.mdx
@@ -245,10 +245,6 @@ contract DeployToken is Script {
 
 ### Environment Configuration
 
-<Warning>
-Never commit your `.env` file or share your `PRIVATE_KEY`. Always add `.env` to your `.gitignore` to prevent accidental key commits. The raw private key approach shown below is intended for **local development and testing only**. For production deployments, use the more secure keystore method with `cast wallet import deployer --interactive` as described in the [Deploy Smart Contracts guide](https://docs.base.org/get-started/deploy-smart-contracts).
-</Warning>
-
 Create a `.env` file with your configuration:
 
 ```bash .env
@@ -258,6 +254,10 @@ BASE_MAINNET_RPC_URL=https://mainnet.base.org
 BASESCAN_API_KEY=your_basescan_api_key_here
 ```
 
+<Warning>
+**Security:** Never commit your `.env` file to version control. Add `.env` to `.gitignore` immediately after creating it. Storing a raw `PRIVATE_KEY` in `.env` is acceptable for local testing only — **never use this approach for production deployments**. For production, use the keystore method instead: `cast wallet import deployer --interactive`. See the [Deploy Smart Contracts guide](/get-started/deploy-smart-contracts) for the recommended secure approach.
+</Warning>
+
 Update `foundry.toml` for Base network configuration:
 
 ```toml foundry.toml
@@ -301,7 +301,6 @@ contract MyTokenTest is Test {
     }
     
     function testInitialState() public {
-        // Verify token was deployed with correct parameters
         assertEq(token.name(), "Test Token");
         assertEq(token.symbol(), "TEST");
         assertEq(token.totalSupply(), INITIAL_SUPPLY);
@@ -310,36 +309,27 @@ contract MyTokenTest is Test {
     
     function testMinting() public {
         uint256 mintAmount = 1000 * 10**18;
-        
-        // Only owner should be able to mint
         vm.prank(owner);
         token.mint(user, mintAmount);
-        
         assertEq(token.balanceOf(user), mintAmount);
         assertEq(token.totalSupply(), INITIAL_SUPPLY + mintAmount);
     }
     
     function testBurning() public {
         uint256 burnAmount = 1000 * 10**18;
-        
-        // Owner burns their own tokens
         vm.prank(owner);
         token.burn(burnAmount);
-        
         assertEq(token.balanceOf(owner), INITIAL_SUPPLY - burnAmount);
         assertEq(token.totalSupply(), INITIAL_SUPPLY - burnAmount);
     }
     
     function testFailMintExceedsMaxSupply() public {
-        // This test should fail when trying to mint more than max supply
         uint256 excessiveAmount = token.MAX_SUPPLY() + 1;
-        
         vm.prank(owner);
         token.mint(user, excessiveAmount);
     }
     
     function testFailUnauthorizedMinting() public {
-        // This test should fail when non-owner tries to mint
         vm.prank(user);
         token.mint(user, 1000 * 10**18);
     }
@@ -349,7 +339,6 @@ contract MyTokenTest is Test {
 Run your tests:
 
 ```bash Terminal
-# Run all tests with verbose output
 forge test -vv
 ```
 
@@ -358,10 +347,8 @@ forge test -vv
 Deploy to Base Sepolia testnet:
 
 ```bash Terminal
-# Load environment variables
 source .env
 
-# Deploy to Base Sepolia with automatic verification
 forge script script/DeployToken.s.sol:DeployToken \
     --rpc-url base_sepolia \
     --broadcast \