Public release security review

Review date: 2026-06-04. Package: DataDeFi CCXT consumer reference (from csai/services/datadefi-x402-mcp-safe/public/).

Vetting performed

Check	Result
`.env` / credentials in tree	None
Hardcoded API keys / private keys	None
Personal emails / allowlists	None
Internal-only bypass secrets in code	None — docs mention `DATADEFI_SHARED_SECRET` only as env name for x402 upstream (not for CCXT)
Live validation	curl OK against `https://exchange.datadefi.ai/api/ccxt/*` (18 markets, CVAR/USD ticker)

Intentional public references

Default origin https://exchange.datadefi.ai
Public DFY contract address may appear in related docs (not in this CCXT bundle)
Example env var names in documentation only

Before `git push`

LICENSE — MIT (see root LICENSE).
Do not commit operator emails in deploy env — N/A for this package.
Run python3 scripts/validate_ccxt_sink.py or ./scripts/validate_ccxt_sink.sh from CI after publish.

Note on local Python SSL

Some macOS Python builds fail TLS verify against exchange.datadefi.ai; use the shell validator (curl) or fix certifi. Production CI on Linux typically passes.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security

SECURITY.md

Public release security review

Vetting performed

Intentional public references

Before `git push`

Note on local Python SSL

There aren't any published security advisories

Security: gleim/datadefi-app

Security

SECURITY.md

Public release security review

Vetting performed

Intentional public references

Before git push

Note on local Python SSL

There aren't any published security advisories

Before `git push`