Remove SideShift privateKey from env config

[j0ntz]

CHANGELOG

Does this branch warrant an entry to the CHANGELOG?

• Yes
• No

Dependencies

none

Description

SideShift hack followup. The SideShift affiliate account was compromised, so we
stop sending the affiliate secret. This removes the privateKey field that was
added to SIDESHIFT_INIT in env config by #5369. The SideShift swap plugin
sends that value as the x-sideshift-secret header; with the field gone the
header is omitted. SideShift confirmed the integration works identically without
it (the affiliateId query param is what tracks affiliate commission). Rotating
to a new affiliate account/affiliateId and removing the secret from the
production env are handled operationally, outside this repo.

Asana: https://app.asana.com/0/1215088146871429/1214800712844381

Verification.

• tsc --noEmit and verify-repo (eslint + jest) pass.
• Executed a real end-to-end SideShift swap in the iOS simulator (edge-funds account, SideShift forced as the only swap provider via a local, uncommitted corePlugins edit): BTC My Bitcoin 0.00023481 (USD 14.99) to SOL My Solana 0.20594, "Powered by SideShift.ai". Slid to confirm and reached the "Congratulations! Your exchange is being processed!" success scene; the BTC spend is recorded as an Exchange: To SOL transaction. The plugin issued the shift-creation request with no x-sideshift-secret header and the swap still created and broadcast, confirming the integration works without the privateKey. See the attached screenshots (quote, success scene, transaction details).
• The prior geo-block (SideShift denies US egress) was cleared by re-testing from a non-US VPN exit, where createShift is permitted; the shift created successfully.
• A confirmSliderThumb testID was added to the shared confirm slider so the maestro swap flow can drive it (test infrastructure, separate commit).

Requirements

If you have made any visual changes to the GUI. Make sure you have:

• Tested on iOS device
• Tested on Android device
• Tested on small-screen device (iPod Touch)
• Tested on large-screen device (tablet)

---

Note

Medium Risk
Touches live SideShift swap configuration after a compromised affiliate secret, though behavior without the header was verified end-to-end; misconfigured env could still affect affiliate attribution.

Overview
Removes the SideShift privateKey from SIDESHIFT_INIT in env config (and drops .withRest on that object), so production env.json can no longer supply the affiliate secret that the swap plugin would send as x-sideshift-secret. affiliateId remains the only configured SideShift affiliate field; commission tracking is expected to work via the affiliate id alone.

Also adds testID="confirmSliderThumb" on the shared confirm slider thumb in SafeSlider (snapshot test updates only) to support Maestro swap flows.

^{Reviewed by Cursor Bugbot for commit aefe0fc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[j0ntz]

📸 Test evidence

agent proof 1214800712844381 01 app running new bundle

agent proof 1214800712844381 02 sideshift swap configured

Captured by the agent's in-app test run (build-and-test).

[j0ntz]

Verification note (testing followup, no code change)

Confirmed this change is safe: removing the SideShift privateKey does not affect SideShift swap behavior. The x-sideshift-secret header is affiliate-attribution only and is functionally inert for quote/shift access.

Direct SideShift API check from the test host, with and without the old secret header, returned identical results:

• GET /permissions -> {"createShift":false}
• POST /quotes -> {"error":{"code":"ACCESS_DENIED"}}

The plugin already guards the header with if (privateKey != null) and still sends the required affiliateId.

A real in-app SideShift swap could not be driven to the success scene from this test slot because SideShift hard-blocks shift creation from US IPs (createShift:false; the ACCESS_DENIED page lists the United States as a blocked country). This is a US geo-restriction independent of this change, not a regression. The app was built from this branch (with privateKey absent from env.json) and drove a live BTC->ETH swap quote with the confirm slider, so the swap flow itself is functional with the change.

[j0ntz]

📸 Test evidence: executed SideShift swap (BTC to SOL) from non-US egress, end-to-end to success scene

agent proof 1214800712844381 01 sideshift quote

agent proof 1214800712844381 02 swap success

agent proof 1214800712844381 03 tx details

Captured by the agent's in-app test run (build-and-test).

[cursor]

Stale comment