Security hardening + README

- Remove test files with hardcoded private keys
- Remove JWT fallback secret (now requires JWT_SECRET env var)
- Remove CLOUDFLARE_RESOURCES.md (infra IDs)
- Add test-*.mjs to .gitignore
- Add README.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: BaseMail Dev

.gitignore

@@ -18,5 +18,8 @@ Thumbs.db
 .vscode/
 .idea/
 
+# Test files with credentials
+worker/test-*.mjs
+
 # Build
 *.tsbuildinfo

CLOUDFLARE_RESOURCES.md

@@ -0,0 +1,151 @@
+# BaseMail
+
+**Email Identity for AI Agents on Base**
+
+BaseMail gives AI agents a real email address tied to their Web3 wallet. Basename holders get `yourname@basemail.ai`, others get `0xAddress@basemail.ai`. Agents can send, receive, and reply to emails — all via API.
+
+**Live at [basemail.ai](https://basemail.ai)**
+
+## Architecture
+
+```
+┌─────────────┐     ┌──────────────────┐     ┌────────────┐
+│  Frontend    │────>│  Cloudflare      │────>│  D1 (SQL)  │
+│  (Pages)     │     │  Worker (Hono)   │     │  R2 (MIME) │
+│  React+Vite  │     │  api.basemail.ai │     │  KV (nonce)│
+└─────────────┘     └──────────────────┘     └────────────┘
+                           │
+            ┌──────────────┼──────────────┐
+            │              │              │
+     SIWE Auth      Email Routing    Base Chain
+     (wallet→JWT)   (CF Email +      (Basename,
+                     Resend.com)      USDC verify)
+```
+
+| Component | Stack |
+|-----------|-------|
+| Worker | Cloudflare Workers, Hono, viem |
+| Frontend | React, Vite, Tailwind, wagmi |
+| Database | Cloudflare D1 (SQLite) |
+| Email Storage | Cloudflare R2 |
+| Auth Nonces | Cloudflare KV |
+| Inbound Email | Cloudflare Email Routing |
+| Outbound Email | Resend.com API |
+| Chain | Base (mainnet) + Base Sepolia (testnet) |
+
+## Features
+
+- **SIWE Authentication** — Sign-In with Ethereum, no passwords
+- **Agent-friendly API** — 2 calls to register, 1 to send
+- **Basename Integration** — Auto-detect or purchase Basenames on-chain
+- **Internal Email** — Free, unlimited @basemail.ai ↔ @basemail.ai
+- **External Email** — Via Resend.com, credit-based pricing
+- **Pre-storage** — Emails to unregistered 0x addresses are held for 30 days
+- **USDC Verified Payments** — Send USDC via email with on-chain verification (Base Sepolia testnet)
+- **BaseMail Pro** — Remove email signatures, gold badge (0.008 ETH one-time)
+
+## Project Structure
+
+```
+basemail/
+├── worker/              # Cloudflare Worker (API)
+│   ├── src/
+│   │   ├── index.ts          # Routes + API docs
+│   │   ├── auth.ts           # JWT + SIWE verification
+│   │   ├── email-handler.ts  # Inbound email processing
+│   │   ├── types.ts          # TypeScript types
+│   │   └── routes/
+│   │       ├── auth.ts       # /api/auth/*
+│   │       ├── register.ts   # /api/register/*
+│   │       ├── send.ts       # /api/send
+│   │       ├── inbox.ts      # /api/inbox/*
+│   │       ├── identity.ts   # /api/identity/*
+│   │       ├── credits.ts    # /api/credits/*
+│   │       └── pro.ts        # /api/pro/*
+│   └── wrangler.toml
+├── web/                 # Frontend (Cloudflare Pages)
+│   ├── src/
+│   │   ├── pages/
+│   │   │   ├── Landing.tsx   # Landing page
+│   │   │   └── Dashboard.tsx # Full email dashboard
+│   │   ├── wagmi.ts          # Wallet config
+│   │   └── main.tsx
+│   └── vite.config.ts
+└── contracts/           # Smart contracts (Hardhat)
+    └── contracts/
+        └── BaseMailRegistry.sol
+```
+
+## Quick Start (AI Agents)
+
+```bash
+# 1. Get SIWE message
+curl -X POST https://api.basemail.ai/api/auth/start \
+  -H "Content-Type: application/json" \
+  -d '{"address":"YOUR_WALLET_ADDRESS"}'
+
+# 2. Sign message + register (returns JWT token)
+curl -X POST https://api.basemail.ai/api/auth/agent-register \
+  -H "Content-Type: application/json" \
+  -d '{"address":"...","signature":"0x...","message":"..."}'
+
+# 3. Send email
+curl -X POST https://api.basemail.ai/api/send \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"to":"someone@basemail.ai","subject":"Hello","body":"Hi!"}'
+```
+
+Full API docs: `GET https://api.basemail.ai/api/docs`
+
+## Development
+
+### Prerequisites
+
+- Node.js 20+
+- Cloudflare account (Workers, D1, R2, KV, Email Routing)
+- Wrangler CLI
+
+### Setup
+
+```bash
+# Install dependencies
+npm install
+cd web && npm install && cd ..
+
+# Configure secrets (create worker/.dev.vars)
+# BASEMAIL_WALLET_PRIVATE_KEY=0x...
+# BASEMAIL_WALLET_ADDRESS=0x...
+# JWT_SECRET=your-secret-here
+# RESEND_API_KEY=re_...
+
+# Run worker locally
+cd worker && npx wrangler dev
+
+# Run frontend locally
+cd web && npx vite dev
+```
+
+### Deploy
+
+```bash
+# Deploy worker
+cd worker && npx wrangler deploy
+
+# Build + deploy frontend
+cd web && npx vite build && npx wrangler pages deploy dist --project-name=basemail-web
+```
+
+### Environment Variables (Worker)
+
+| Variable | Where | Description |
+|----------|-------|-------------|
+| `JWT_SECRET` | Wrangler secret | JWT signing key |
+| `WALLET_PRIVATE_KEY` | Wrangler secret | Worker wallet for on-chain ops |
+| `RESEND_API_KEY` | Wrangler secret | Resend.com API key |
+| `DOMAIN` | wrangler.toml vars | `basemail.ai` |
+| `WALLET_ADDRESS` | wrangler.toml vars | Public deposit address |
+
+## License
+
+All rights reserved.

README.md

@@ -136,7 +136,7 @@ export function authMiddleware() {
     }
 
     const token = authHeader.slice(7);
-    const secret = c.env.JWT_SECRET || '***REDACTED***';
+    const secret = c.env.JWT_SECRET!;
     const auth = await verifyToken(token, secret);
 
     if (!auth) {

worker/src/auth.ts

@@ -66,7 +66,7 @@ authRoutes.post('/agent-register', async (c) => {
   }
 
   const wallet = address.toLowerCase();
-  const secret = c.env.JWT_SECRET || '***REDACTED***';
+  const secret = c.env.JWT_SECRET!;
 
   // Check if wallet already registered
   const existingAccount = await c.env.DB.prepare(
@@ -259,7 +259,7 @@ authRoutes.post('/verify', async (c) => {
     suggestedSource = resolved.source;
   }
 
-  const secret = c.env.JWT_SECRET || '***REDACTED***';
+  const secret = c.env.JWT_SECRET!;
   const token = await createToken(
     { wallet, handle: account?.handle || '' },
     secret,

worker/src/routes/auth.ts

@@ -105,7 +105,7 @@ registerRoutes.post('/', authMiddleware(), async (c) => {
   ).run();
 
   // Issue new JWT with handle
-  const secret = c.env.JWT_SECRET || '***REDACTED***';
+  const secret = c.env.JWT_SECRET!;
   const newToken = await createToken(
     { wallet: auth.wallet, handle },
     secret,
@@ -275,7 +275,7 @@ registerRoutes.put('/upgrade', authMiddleware(), async (c) => {
   const migratedCount = batchResults[2]?.meta?.changes || 0;
 
   // 發新 token
-  const secret = c.env.JWT_SECRET || '***REDACTED***';
+  const secret = c.env.JWT_SECRET!;
   const newToken = await createToken({ wallet: auth.wallet, handle: newHandle }, secret);
 
   return c.json({