The benchmark submission HMAC signing secret was hardcoded in source
code (CWE-798), allowing anyone reading the open-source repository to
extract it and forge benchmark submissions to benchmark.projectnomad.us.
- Read BENCHMARK_HMAC_SECRET from env instead of embedding it in code
- Register the variable in the AdonisJS env schema (optional)
- Add a guard in submitToRepository() that rejects submissions when
the secret is not configured
- Document the new variable in .env.example
The benchmark server operator must now inject the real secret via the
BENCHMARK_HMAC_SECRET environment variable (e.g. in docker-compose or
a .env file). The previously committed secret should be rotated
server-side.
