From 5d666cf3c3ec687eba45f9adf97fe05e719bebd7 Mon Sep 17 00:00:00 2001
From: Penzlik <schoolkam@gmail.com>
Date: Fri, 1 May 2026 20:05:58 +0300
Subject: [PATCH 1/2] fix: add security warning for raw PRIVATE_KEY usage in
 launch-token guide

The launch-token guide used vm.envUint("PRIVATE_KEY") without any
security warning, while the deploy-smart-contracts guide explicitly
recommends cast wallet import (keystore) as the safer approach.

Added a Warning callout before the .env configuration block to:
- Alert developers that raw PRIVATE_KEY in .env is for local/testing only
- Recommend cast wallet import for production deployments
- Link to the deploy-smart-contracts guide for the secure approach

Fixes #1357
---
 docs/get-started/launch-token.mdx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/get-started/launch-token.mdx b/docs/get-started/launch-token.mdx
index bcccc57a8..7b9ddc7d7 100644
--- a/docs/get-started/launch-token.mdx
+++ b/docs/get-started/launch-token.mdx
@@ -245,6 +245,10 @@ contract DeployToken is Script {
 
 ### Environment Configuration
 
+<Warning>
+Never commit your `.env` file or share your `PRIVATE_KEY`. The raw private key approach shown below is intended for **local development and testing only**. For production deployments, use the more secure keystore method with `cast wallet import deployer --interactive` as described in the [Deploy Smart Contracts guide](https://docs.base.org/get-started/deploy-smart-contracts).
+</Warning>
+
 Create a `.env` file with your configuration:
 
 ```bash .env

From 4aea646fed9ec4690f9737332f14d502b48368e7 Mon Sep 17 00:00:00 2001
From: Penzlik <schoolkam@gmail.com>
Date: Sat, 2 May 2026 20:46:51 +0300
Subject: [PATCH 2/2] Update warning about .env file and PRIVATE_KEY

Added a reminder to include '.env' in .gitignore to prevent accidental key commits.
---
 docs/get-started/launch-token.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/get-started/launch-token.mdx b/docs/get-started/launch-token.mdx
index 7b9ddc7d7..41495e894 100644
--- a/docs/get-started/launch-token.mdx
+++ b/docs/get-started/launch-token.mdx
@@ -246,7 +246,7 @@ contract DeployToken is Script {
 ### Environment Configuration
 
 <Warning>
-Never commit your `.env` file or share your `PRIVATE_KEY`. The raw private key approach shown below is intended for **local development and testing only**. For production deployments, use the more secure keystore method with `cast wallet import deployer --interactive` as described in the [Deploy Smart Contracts guide](https://docs.base.org/get-started/deploy-smart-contracts).
+Never commit your `.env` file or share your `PRIVATE_KEY`. Always add `.env` to your `.gitignore` to prevent accidental key commits. The raw private key approach shown below is intended for **local development and testing only**. For production deployments, use the more secure keystore method with `cast wallet import deployer --interactive` as described in the [Deploy Smart Contracts guide](https://docs.base.org/get-started/deploy-smart-contracts).
 </Warning>
 
 Create a `.env` file with your configuration: