TANTHEM mint DApp — security model

Live DApp: https://fthtrading.github.io/Troptions-full-pack/mint.html

Source: sites/investor/mint.html (copied to docs/mint.html for GitHub Pages)

Core rule: seed never leaves the browser

Data	Sent to server?	Where it lives
XRPL issuer seed (`s…`)	Never	Password field in browser only; used by `xrpl.js` to sign locally
Unsigned mint batch	No (embedded in page)	Static JSON in `mint.html`
Signed transactions	No	Submitted from browser directly to XRPL validators via WebSocket

GitHub Pages serves static HTML only. There is no backend that can receive, log, or store a seed.

Operator checklist

Prefer the browser mint DApp over scripts/xrpl_mint_ready.py --sign when possible — avoids seed in shell history or .env on shared machines.
Do not paste seeds into chat, docs, CI, or agent prompts.
Do not commit .env, signed tx dumps, or screenshots containing seeds.
Use a dedicated issuer machine or air-gapped workflow for production mint.
Clear browser cache (and close the tab) after minting completes or if you abandon the session.
Verify results on XRPSCAN issuer account before external “collection live” claims.

What the DApp does

Loads xrpl.js from CDN (unpkg.com).
Connects to XRPL mainnet via public WebSocket (wss://xrplcluster.com or equivalent in page).
Reads 703 prepared NFTokenMint payloads from embedded MINT_BATCH.
Signs each transaction in-browser with the seed you enter.
Submits signed txs to the ledger.

No step sends the seed over HTTP to FTH, GitHub, or Cursor.

Python script (fallback only)

scripts/xrpl_mint_ready.py can sign with XRPL_ISSUER_SEED in local .env. Use only on a hardened host; never run via CI or remote agents. Prefer browser mint for seed safety.

Honest status labels

Step	Label
IPFS audio + manifest	PROVEN
L1 collection hash anchor	PROVEN (`TROPTIONS_L1_ANCHOR_CONFIRMED.json`)
Mint DApp deployed	LIVE (static; user must sign)
703 NFTs on XRPL mainnet	PENDING until XRPSCAN shows issuer `NFToken` entries