This update addresses critical security concerns identified in the codebase review and implements best practices for production deployment.

• Created missing configuration module (fixes critical crash issue)
• Implements environment variable support for sensitive data
• Auto-disables telemetry when credentials are missing
• Supports multiple disable flags for user convenience

• Added graceful error handling for missing config import
• Prevents crashes if config module is unavailable
• Creates fallback disabled config on import error

• SECURITY: Removed hardcoded RODIN_FREE_TRIAL_KEY
• Added comprehensive security warnings to execute_code() function
• Documented risks of arbitrary code execution
• Added instructions for users to obtain their own API keys

• Added security warning emoji and documentation to execute_blender_code tool
• Clarified risks in tool docstring visible to AI models

• Complete environment variable documentation
• Security notes and best practices
• Template for users to create their own .env files
• Documents all configuration options

• Added comprehensive "Security & Privacy" section
• Documented code execution risks with warnings
• Added API key security best practices
• Telemetry opt-out instructions (multiple methods)
• Network security considerations
• Clear formatting with emojis for visibility

• Expanded to cover more temporary files
• Added explicit rules for .env files
• Added patterns for API keys and secrets
• Better IDE and build artifact coverage

• Comprehensive security policy document
• Reporting guidelines for vulnerabilities
• Security best practices for users and developers
• Known security considerations with mitigations
• Pre-deployment security checklist
• Incident response procedures

• Added security comment about environment variables
• Clarified configuration via docker-compose

1. Missing Config Module - Created config.py with proper error handling
2. Hardcoded API Key - Removed from source code
3. Code Execution Warnings - Added comprehensive documentation

4. Documentation - Clear security warnings in README and SECURITY.md
5. Environment Variables - Proper configuration system via .env.example
6. Telemetry Transparency - Clear opt-out instructions

7. Gitignore Protection - Enhanced to prevent accidental commits of secrets
8. Error Handling - Graceful degradation when config is missing

• Hyper3D Free Trial Key Removed: Users must now obtain their own API key from hyper3d.ai or fal.ai
• No other breaking changes for typical usage

• New dependency on config.py module (now included)
• Telemetry requires environment variables to be set (auto-disables if missing)

1. Update the addon.py file in Blender:

   • Download new addon.py
   • Replace in Blender > Preferences > Add-ons

2. Get your own Hyper3D API key (if using this feature):

   • Visit https://hyper3d.ai or https://fal.ai
   • Obtain API key
   • Enter in Blender addon UI (BlenderMCP panel)

3. Optional: Configure telemetry:

   • Telemetry auto-disables if not configured
   • To disable explicitly: export DISABLE_TELEMETRY=true
   • Add to shell profile for persistence

4. Review security documentation:

   • Read new Security section in README.md
   • Review SECURITY.md for best practices
   • Understand code execution risks

1. Update docker-compose.yml (optional):

   environment:
     - DISABLE_TELEMETRY=true  # Optional: disable telemetry

2. Rebuild containers:

   docker-compose down
   docker-compose up --build

• ✅ Telemetry gracefully handles missing config
• ✅ Server starts with default configuration
• ✅ Environment variables properly override defaults
• ✅ Telemetry can be disabled multiple ways
• ✅ No hardcoded secrets in repository

1. Review SECURITY.md - Understand all security considerations
2. Disable telemetry - Set DISABLE_TELEMETRY=true if desired
3. Secure API keys - Never commit to version control
4. Use Docker - Provides isolation and consistent environment
5. Regular backups - Before using code execution features
6. Monitor logs - Check for suspicious activity

• Read SECURITY.md
• Configure environment variables via .env (not in code)
• Review API key storage (don't share .blend files with keys)
• Understand code execution risks
• Set up telemetry preferences
• Update .gitignore if adding sensitive files

• Security Policy: See SECURITY.md
• Environment Config: See .env.example
• Main Documentation: See README.md

If you encounter issues with these changes:

1. Check the updated README.md for new instructions
2. Review SECURITY.md for security-related questions
3. Join the Discord community for support
4. Report bugs through GitHub issues (not security vulnerabilities!)

Status: ✅ Ready for deployment with improved security posture Risk Level: 🟢 Low (after implementing these changes) Recommended Action: Update immediately and review security documentation