From c0c37c4c7e84c512b01229dd50dc04a6b3b5b802 Mon Sep 17 00:00:00 2001
From: root <root@s52867.vps.hosting>
Date: Tue, 3 Mar 2026 11:58:26 +0000
Subject: [PATCH] security: remove hardcoded Discord token, load from env/GCP
 Secret Manager

---
 backend/signal_pusher.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/signal_pusher.py b/backend/signal_pusher.py
index 0be55b5..28be965 100644
--- a/backend/signal_pusher.py
+++ b/backend/signal_pusher.py
@@ -6,7 +6,9 @@ import httpx
 DB_PATH = os.path.join(os.path.dirname(os.path.dirname(__file__)), "arb.db")
 BINANCE_FAPI = "https://fapi.binance.com/fapi/v1"
 SYMBOLS = ["BTCUSDT", "ETHUSDT"]
-DISCORD_TOKEN = os.getenv("DISCORD_BOT_TOKEN", "MTQ3Mjk4NzY1NjczNTU1OTg0Mg.GgeYh5.NYSbivZKBUc5S2iKXeB-hnC33w3SUUPzDDdviM")
+DISCORD_TOKEN = os.getenv("DISCORD_BOT_TOKEN")
+if not DISCORD_TOKEN:
+    raise RuntimeError("DISCORD_BOT_TOKEN 未设置，请从 GCP Secret Manager 注入")
 DISCORD_CHANNEL = os.getenv("DISCORD_SIGNAL_CHANNEL", "1472986545635197033")
 BINANCE_HEADERS = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"}