SECURITY_REMEDIATION_REQUIRED.md

🚨 CRITICAL SECURITY REMEDIATION REQUIRED

Status: ⛔ DO NOT PUSH TO GITHUB YET
Date: 2025-11-11
Severity: CRITICAL

Security Issue Discovered

After importing source code from le-chantier, security scanning revealed hardcoded API keys in 40+ files scattered throughout the codebase.

API Keys Found

Two API keys hardcoded in multiple locations:

1. Colossus API Key: sk-dBoxml3krytIRLdjr35Lnw
2. OpenRouter API Key: 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

Affected Files (40+ instances)

Agents (6 instances)

• backend/agents/colossus_agent.py - Default api_key parameter
• backend/agents/colossus_saap_agent.py - API_KEY constant
• backend/agents/openrouter_agent_enhanced.py - API_KEY constant
• backend/agents/openrouter_saap_agent.py - COLOSSUS_KEY constant

API Clients (2 instances)

• backend/api/colossus_client.py - Default api_key parameter
• backend/api/openrouter_client.py - Hardcoded api_key variable

Configuration (4 instances)

• backend/config/settings.py - Default values for both keys (2 instances)
• backend/settings.py - Duplicate default values (2 instances)

Models & Schemas (12+ instances)

• backend/models/agent.py - Template defaults (3 instances)
• backend/models/agent_schema.json - Schema examples (3 instances)
• backend/models/agent_templates.json - Template defaults (5 instances)
• backend/agent.py - Duplicate file (3 instances)
• backend/agent_schema.json - Duplicate schema (3 instances)
• backend/agent_templates.json - Duplicate templates (5 instances)

Services (3 instances)

• backend/services/agent_manager_hybrid.py - Default fallback
• backend/services/agent_manager_hybrid_fixed.py - Default fallback
• backend/services/openrouter_integration.py - Constructor default
• backend/openrouter_integration.py - Duplicate file
• backend/agent_manager_hybrid.py - Duplicate file
• backend/agent_manager_hybrid.py.backup - Backup file
• backend/agent_manager_hybrid_fixed.py - Duplicate file

Scripts & Tests (1 instance)

• backend/scripts/test_colossus_integration.py - Test API_KEY constant
• backend/test_colossus_integration.py - Duplicate file

Main Application (1 instance)

• backend/main.py - Hardcoded openrouter_key variable

Environment Template (2 instances)

• backend/.env.example - BOTH keys present (may be acceptable for examples, but verify these are dummy keys first)

Remediation Plan

Option 1: Environment Variables (Recommended)

Replace all hardcoded keys with environment variable lookups:

# BEFORE (agents/colossus_agent.py)
api_key: str = "sk-dBoxml3krytIRLdjr35Lnw"

# AFTER
import os
api_key: str = os.getenv("COLOSSUS_API_KEY", "")

# BEFORE (config/settings.py)
default="sk-dBoxml3krytIRLdjr35Lnw"

# AFTER
default=os.getenv("COLOSSUS_API_KEY", "")

Option 2: Remove Defaults Entirely (Most Secure)

Force explicit configuration, no fallbacks:

# BEFORE
api_key: str = "sk-dBoxml3krytIRLdjr35Lnw"

# AFTER
api_key: str  # No default - must be provided explicitly

Option 3: Use Placeholder Values

Replace with obvious placeholders:

# BEFORE
api_key: str = "sk-dBoxml3krytIRLdjr35Lnw"

# AFTER
api_key: str = "YOUR_COLOSSUS_API_KEY_HERE"

Automated Remediation Script

#!/bin/bash
# cleanup-secrets.sh

# Replace Colossus API key with environment variable
find backend/ -type f -name "*.py" -exec sed -i \
  's/sk-dBoxml3krytIRLdjr35Lnw/os.getenv("COLOSSUS_API_KEY", "")/g' {} +

# Replace OpenRouter API key with environment variable
find backend/ -type f -name "*.py" -exec sed -i \
  's/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/os.getenv("OPENROUTER_API_KEY", "")/g' {} +

# For JSON files - replace with placeholders
find backend/ -type f -name "*.json" -exec sed -i \
  's/sk-dBoxml3krytIRLdjr35Lnw/YOUR_COLOSSUS_API_KEY_HERE/g' {} +

find backend/ -type f -name "*.json" -exec sed -i \
  's/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/YOUR_OPENROUTER_API_KEY_HERE/g' {} +

echo "✅ Secrets remediated - verify changes before committing"

Manual Review Required

Before running automated fixes:

1. Verify if these are real API keys or test keys

   • If test keys: Can replace with placeholders
   • If real keys: MUST invalidate/rotate immediately

2. Check .env.example

   • If these are example keys: Acceptable to keep
   • If real keys: Replace with YOUR_*_API_KEY_HERE

3. Add import os statements

   • Python files using os.getenv() need import os at top

Immediate Actions Required

DO NOT:

• ❌ Push to GitHub without remediation
• ❌ Commit files with hardcoded keys
• ❌ Deploy code with hardcoded keys
• ❌ Share repository publicly

DO:

• ✅ Review remediation options with team
• ✅ Decide on remediation strategy (Option 1, 2, or 3)
• ✅ Run remediation script OR manually fix
• ✅ Verify all fixes with grep scan
• ✅ Test application still works after remediation
• ✅ Rotate API keys if they are real/active keys
• ✅ Update .env.example with placeholders
• ✅ Commit remediated code only

Verification After Remediation

# Scan for remaining hardcoded keys
grep -r -i "sk-or-v1\|sk-dBoxml" backend/

# Should return ZERO results (or only .env.example if using placeholders)
# If any results found in code files, continue remediation

Post-Remediation Checklist

• All hardcoded keys replaced in Python files
• All hardcoded keys replaced in JSON files
• .env.example contains only placeholders
• No secrets in git history (we're starting fresh, so OK)
• Application tested with environment variables
• README updated with environment setup instructions
• .gitignore verified (already created)
• Final security scan clean

Contact for Questions

Security Team:

• CTO Michael Wegener ([email protected])

Master Thesis Supervisor:

• (Contact info)

---

REMEDIATION STATUS: ⏳ PENDING
Last Updated: 2025-11-11 12:46 CET
Action Owner: Hanan (Master Student)