fix: remove hardcoded Engine API JWT secret and require explicit configuration

[erhnysr]

Summary

Fixes #1086.

The default BASE_NODE_L2_ENGINE_AUTH_RAW value (688f5d737bad920b...) was a well-known public hex string committed in the repository. Since authrpc binds to 0.0.0.0:8551, any operator using host networking, Kubernetes, custom port mappings, or shared Docker networks was exposed to unauthenticated Engine API access.

⚠️ Breaking Change

Operators who relied on the default BASE_NODE_L2_ENGINE_AUTH_RAW value must now set their own secret before starting the node. The entrypoints will exit with a clear error message and generation hint if the variable is unset or still holds the placeholder:

ERROR: BASE_NODE_L2_ENGINE_AUTH_RAW is not set or still uses the default placeholder.
Please generate a secure secret and set it in your .env file:
  export BASE_NODE_L2_ENGINE_AUTH_RAW=$(openssl rand -hex 32)

Changes

• .env.mainnet / .env.sepolia: Replace hardcoded secret with <your-secret-jwt> placeholder and generation instructions
• reth/reth-entrypoint, base-consensus-entrypoint, geth/geth-entrypoint, op-node-entrypoint: Add validation block — exits with clear error if secret is unset or placeholder
• README.md: Document BASE_NODE_L2_ENGINE_AUTH_RAW as a required field under Configuration → Required Settings

Test plan

• Start node without setting BASE_NODE_L2_ENGINE_AUTH_RAW — confirm all entrypoints exit with error message and generation hint
• Set BASE_NODE_L2_ENGINE_AUTH_RAW=$(openssl rand -hex 32) — confirm node starts and containers authenticate successfully
• Verify no regressions with a valid secret set

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[erhnysr]

Rebased on latest main (post #1090)

This PR has been rebased onto the current main branch, which restructured the client entrypoints in #1090. The changes are updated accordingly:

File	Change
.env.mainnet / .env.sepolia	Hardcoded secret → <your-secret-jwt> placeholder with generation hint
execution-entrypoint	Added validation block — exits with clear error if secret is unset or placeholder
consensus-entrypoint	Upgraded existing empty-check to also catch the placeholder value
README.md	BASE_NODE_L2_ENGINE_AUTH_RAW added to Required Settings

The original files from the old structure (base-consensus-entrypoint, op-node-entrypoint) were removed in #1090 and are no longer part of this PR.

The hardcoded 688f5d737bad920b... value is still present in main — any operator running with the default .env.mainnet or .env.sepolia is currently exposed. Happy to address any review feedback.