Hugging Face's logo

Spaces:
Hwandji
/
saap-plattform
Sleeping

App Files Community
saap-plattform
File size: 6,216 Bytes 
4343907
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
 
# 🚨 CRITICAL SECURITY REMEDIATION REQUIRED

**Status:** β›” **DO NOT PUSH TO GITHUB YET**  
**Date:** 2025-11-11  
**Severity:** CRITICAL

## Security Issue Discovered

After importing source code from le-chantier, security scanning revealed **hardcoded API keys in 40+ files** scattered throughout the codebase.

## API Keys Found

**Two API keys hardcoded in multiple locations:**

1. **Colossus API Key:** `sk-dBoxml3krytIRLdjr35Lnw`
2. **OpenRouter API Key:** `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`

## Affected Files (40+ instances)

### Agents (6 instances)
- `backend/agents/colossus_agent.py` - Default api_key parameter
- `backend/agents/colossus_saap_agent.py` - API_KEY constant
- `backend/agents/openrouter_agent_enhanced.py` - API_KEY constant
- `backend/agents/openrouter_saap_agent.py` - COLOSSUS_KEY constant

### API Clients (2 instances)
- `backend/api/colossus_client.py` - Default api_key parameter
- `backend/api/openrouter_client.py` - Hardcoded api_key variable

### Configuration (4 instances)
- `backend/config/settings.py` - Default values for both keys (2 instances)
- `backend/settings.py` - Duplicate default values (2 instances)

### Models & Schemas (12+ instances)
- `backend/models/agent.py` - Template defaults (3 instances)
- `backend/models/agent_schema.json` - Schema examples (3 instances)
- `backend/models/agent_templates.json` - Template defaults (5 instances)
- `backend/agent.py` - Duplicate file (3 instances)
- `backend/agent_schema.json` - Duplicate schema (3 instances)
- `backend/agent_templates.json` - Duplicate templates (5 instances)

### Services (3 instances)
- `backend/services/agent_manager_hybrid.py` - Default fallback
- `backend/services/agent_manager_hybrid_fixed.py` - Default fallback
- `backend/services/openrouter_integration.py` - Constructor default
- `backend/openrouter_integration.py` - Duplicate file
- `backend/agent_manager_hybrid.py` - Duplicate file
- `backend/agent_manager_hybrid.py.backup` - Backup file
- `backend/agent_manager_hybrid_fixed.py` - Duplicate file

### Scripts & Tests (1 instance)
- `backend/scripts/test_colossus_integration.py` - Test API_KEY constant
- `backend/test_colossus_integration.py` - Duplicate file

### Main Application (1 instance)
- `backend/main.py` - Hardcoded openrouter_key variable

### Environment Template (2 instances)
- `backend/.env.example` - **BOTH keys present** (may be acceptable for examples, but verify these are dummy keys first)

## Remediation Plan

### Option 1: Environment Variables (Recommended)

**Replace all hardcoded keys with environment variable lookups:**

```python
# BEFORE (agents/colossus_agent.py)
api_key: str = "sk-dBoxml3krytIRLdjr35Lnw"

# AFTER
import os
api_key: str = os.getenv("COLOSSUS_API_KEY", "")
```

```python
# BEFORE (config/settings.py)
default="sk-dBoxml3krytIRLdjr35Lnw"

# AFTER
default=os.getenv("COLOSSUS_API_KEY", "")
```

### Option 2: Remove Defaults Entirely (Most Secure)

**Force explicit configuration, no fallbacks:**

```python
# BEFORE
api_key: str = "sk-dBoxml3krytIRLdjr35Lnw"

# AFTER
api_key: str  # No default - must be provided explicitly
```

### Option 3: Use Placeholder Values

**Replace with obvious placeholders:**

```python
# BEFORE
api_key: str = "sk-dBoxml3krytIRLdjr35Lnw"

# AFTER
api_key: str = "YOUR_COLOSSUS_API_KEY_HERE"
```

## Automated Remediation Script

```bash
#!/bin/bash
# cleanup-secrets.sh

# Replace Colossus API key with environment variable
find backend/ -type f -name "*.py" -exec sed -i \
  's/sk-dBoxml3krytIRLdjr35Lnw/os.getenv("COLOSSUS_API_KEY", "")/g' {} +

# Replace OpenRouter API key with environment variable
find backend/ -type f -name "*.py" -exec sed -i \
  's/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/os.getenv("OPENROUTER_API_KEY", "")/g' {} +

# For JSON files - replace with placeholders
find backend/ -type f -name "*.json" -exec sed -i \
  's/sk-dBoxml3krytIRLdjr35Lnw/YOUR_COLOSSUS_API_KEY_HERE/g' {} +

find backend/ -type f -name "*.json" -exec sed -i \
  's/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/YOUR_OPENROUTER_API_KEY_HERE/g' {} +

echo "βœ… Secrets remediated - verify changes before committing"
```

## Manual Review Required

**Before running automated fixes:**

1. **Verify if these are real API keys or test keys**
   - If test keys: Can replace with placeholders
   - If real keys: **MUST invalidate/rotate immediately**

2. **Check .env.example**
   - If these are example keys: Acceptable to keep
   - If real keys: Replace with `YOUR_*_API_KEY_HERE`

3. **Add `import os` statements**
   - Python files using `os.getenv()` need `import os` at top

## Immediate Actions Required

### DO NOT:
- ❌ Push to GitHub without remediation
- ❌ Commit files with hardcoded keys
- ❌ Deploy code with hardcoded keys
- ❌ Share repository publicly

### DO:
- βœ… Review remediation options with team
- βœ… Decide on remediation strategy (Option 1, 2, or 3)
- βœ… Run remediation script OR manually fix
- βœ… Verify all fixes with `grep` scan
- βœ… Test application still works after remediation
- βœ… Rotate API keys if they are real/active keys
- βœ… Update .env.example with placeholders
- βœ… Commit remediated code only

## Verification After Remediation

```bash
# Scan for remaining hardcoded keys
grep -r -i "sk-or-v1\|sk-dBoxml" backend/

# Should return ZERO results (or only .env.example if using placeholders)
# If any results found in code files, continue remediation
```

## Post-Remediation Checklist

- [ ] All hardcoded keys replaced in Python files
- [ ] All hardcoded keys replaced in JSON files
- [ ] .env.example contains only placeholders
- [ ] No secrets in git history (we're starting fresh, so OK)
- [ ] Application tested with environment variables
- [ ] README updated with environment setup instructions
- [ ] .gitignore verified (already created)
- [ ] Final security scan clean

## Contact for Questions

**Security Team:**
- CTO Michael Wegener ([email protected])

**Master Thesis Supervisor:**
- (Contact info)

---

**REMEDIATION STATUS:** ⏳ PENDING  
**Last Updated:** 2025-11-11 12:46 CET  
**Action Owner:** Hanan (Master Student)