Remove HMAC salt from public release

GLEGram/SGSupporters/Sources/SupportersCrypto.swift

@@ -2,7 +2,7 @@ import Foundation
 import CryptoKit
 import SGLogging
 
-private let HMAC_SALT = "glegram-hmac-v1"
+private let HMAC_SALT = "YOUR_HMAC_SALT"
 private let TS_MAX_AGE_SEC = 300
 
 /// AES-256-GCM + HMAC-SHA256 (anti-tampering, replay protection).
@@ -24,7 +24,7 @@ enum SupportersCrypto {
         SymmetricKey(data: normalizeKeyData(key))
     }
 
-    /// Derive HMAC key: HMAC-SHA256(master_key, "glegram-hmac-v1").
+    /// Derive HMAC key: HMAC-SHA256(master_key, "HMAC salt string").
     private static func deriveHmacKey(from masterKey: Data) -> SymmetricKey {
         let key = SymmetricKey(data: masterKey)
         let salt = Data(Array(HMAC_SALT.utf8))

scripts/check-secrets.sh

@@ -26,8 +26,20 @@ if grep -rq "F8A8NWPL78" . --include="*.swift" --include="*.json" --include="*.b
     FOUND=1
 fi
 
+# HMAC salt
+if grep -rq "glegram-hmac-v1" . --include="*.swift" 2>/dev/null; then
+    echo "FAIL: HMAC salt found!"
+    FOUND=1
+fi
+
 # SSL pinning hashes
 if grep -rq "brDmHiqwkhgPrFDmkcD2IsDUdKLZlyGjGkn0SOGNKFI" . --include="*.swift" --include="*.json" 2>/dev/null; then
+# HMAC salt
+if grep -rq "glegram-hmac-v1" . --include="*.swift" 2>/dev/null; then
+    echo "FAIL: HMAC salt found!"
+    FOUND=1
+fi
+
     echo "FAIL: SSL pinning hashes found!"
     FOUND=1
 fi

scripts/strip-secrets.sh

@@ -47,6 +47,10 @@ public let SG_API_WEBAPP_URL_PARSED = URL(string: SG_CONFIG.webappUrl)!
 SWIFT
 echo "  Stripped: SGConfig"
 
+# 1.5 SupportersCrypto — remove HMAC salt
+sed -i '' 's/private let HMAC_SALT = .*/private let HMAC_SALT = "YOUR_HMAC_SALT"/' GLEGram/SGSupporters/Sources/SupportersCrypto.swift 2>/dev/null
+echo "  Stripped: HMAC salt"
+
 # 2. Build configs — replace with templates
 for cfg in build-system/ipa-build-configuration.json build-system/glegram-appstore-configuration.json; do
     cat > "$cfg" << 'JSON'