# Docker secrets (TEST ONLY)

This directory mounts as Docker secrets into the `gps-denied-onboard` service.
The `mavlink_passkey` file is a deterministic 32-byte hex string used solely
for FT-P-09-AP / NFT-SEC-03 testing of MAVLink 2.0 message signing.

**Production deployments MUST NOT use this file.** Production wires the
passkey via `/run/secrets/mavlink_passkey` from a real secret store; the test
fixture path here is intercepted at compose build time so the production
artifact never sees this value.

The matching key on the runner side lives at
`e2e/fixtures/secrets/mavlink-test-passkey.txt` (same bytes) — pymavlink
loads it from there when constructing the signed-message peer.