Redact sensitive validator identity material and internal URLs from documentation

[Copilot]

Real validator BLS keys, proof-of-possession signatures, P-Chain wallet addresses, and node IDs were committed in public documentation, expanding the attack surface for targeted validator attacks. Internal Asana task URLs also leaked organizational structure.

Changes

• BLS key / NodeID (README.md): Replaced real nodeID, publicKey, and proofOfPossession values in the info.getNodeID example response with zero-value placeholders

  "nodeID": "NodeID-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  "publicKey": "0x000000000000000000000000000000000000...",
  "proofOfPossession": "0x000000000000000000000000000000000000..."

• P-Chain wallet addresses (README.md, chains/mainnet/subnet-cli.md): Redacted all occurrences of the mainnet (P-avax1...) and testnet (P-fuji1...) addresses in both prose and terminal output tables → P-avax1<REDACTED> / P-fuji1<REDACTED>
• Internal Asana URLs (README.md, subnet-cli/subnet-cli-add-subnet-validator-mainnet.sh, subnet-cli/subnet-cli-add-subnet-validator-testnet.sh): Replaced https://app.asana.com/... references with # See internal validator management documentation

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security][High] Real validator BLS keys, wallet addresses, and node IDs exposed in documentation</issue_title>
<issue_description>## Summary

The repository README and subnet-cli documentation contain real validator identity material including BLS public keys, proof-of-possession signatures, P-Chain wallet addresses, and node IDs. While these are not private keys, they provide a targeted attack surface for a blockchain validator node.

Findings

1. Real validator BLS public key and proof of possession in README

File: README.md, lines 398-402

"nodeID": "NodeID-5mb46qkSBj81k9g9e4VFjGGSbaaSLFRzD",
"publicKey": "0x8f95423f7142d00a48e1014a3de8d28907d420dc33b3052a6dee03a3f2941a393c2351e354704ca66a3fc29870282e15",
"proofOfPossession": "0x86a3ab4c45cfe31cae34c1d06f212434ac71b1be6cfe046c80c162e057614a94..."

The BLS public key and proof-of-possession together with the NodeID enable targeted attacks including identity spoofing attempts, targeted DoS against the specific validator, and correlation attacks linking on-chain activity to infrastructure.

2. Real P-Chain wallet addresses in documentation

Files: README.md (lines 57, 77, 122, 187, 236, 266), chains/mainnet/subnet-cli.md (lines 36, 94)

• Mainnet: P-avax142ue2exu7qxuawxe34ww8t623lv82tu2vt573g
• Testnet: P-fuji1lcztar3x7ra0ajen3dtw4mdhk2cyshfhu2hzgk

These are the wallets that paid for subnet creation and validator staking. Exposing them enables tracking of AVAX balances and staking activity, which aids social engineering.

3. Internal Asana task URLs in public repo

Files: subnet-cli/subnet-cli-add-subnet-validator-mainnet.sh (line 2), subnet-cli/subnet-cli-add-subnet-validator-testnet.sh (line 2), README.md (line 345)

Internal project management URLs expose organizational structure and task IDs.

Suggested Fix

1. Replace real validator identity material with sanitized examples: NodeID-XXXX, 0x0000..., P-avax1<REDACTED>
2. Remove internal Asana URLs, replace with generic comments like # See internal validator management documentation
3. Add a documentation policy note that real addresses/keys should never appear in committed documentation

Impact

Reduces the targeted attack surface for validators. While on-chain data is public, amplifying it in GitHub documentation makes reconnaissance easier for attackers.

Generated by Health Monitor with Omni</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security][High] Real validator BLS keys, wallet addresses, and node IDs exposed in documentation #107

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.