Spaces:
Sleeping
Sleeping
| # π¨ CRITICAL SECURITY REMEDIATION REQUIRED | |
| **Status:** β **DO NOT PUSH TO GITHUB YET** | |
| **Date:** 2025-11-11 | |
| **Severity:** CRITICAL | |
| ## Security Issue Discovered | |
| After importing source code from le-chantier, security scanning revealed **hardcoded API keys in 40+ files** scattered throughout the codebase. | |
| ## API Keys Found | |
| **Two API keys hardcoded in multiple locations:** | |
| 1. **Colossus API Key:** `sk-dBoxml3krytIRLdjr35Lnw` | |
| 2. **OpenRouter API Key:** `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` | |
| ## Affected Files (40+ instances) | |
| ### Agents (6 instances) | |
| - `backend/agents/colossus_agent.py` - Default api_key parameter | |
| - `backend/agents/colossus_saap_agent.py` - API_KEY constant | |
| - `backend/agents/openrouter_agent_enhanced.py` - API_KEY constant | |
| - `backend/agents/openrouter_saap_agent.py` - COLOSSUS_KEY constant | |
| ### API Clients (2 instances) | |
| - `backend/api/colossus_client.py` - Default api_key parameter | |
| - `backend/api/openrouter_client.py` - Hardcoded api_key variable | |
| ### Configuration (4 instances) | |
| - `backend/config/settings.py` - Default values for both keys (2 instances) | |
| - `backend/settings.py` - Duplicate default values (2 instances) | |
| ### Models & Schemas (12+ instances) | |
| - `backend/models/agent.py` - Template defaults (3 instances) | |
| - `backend/models/agent_schema.json` - Schema examples (3 instances) | |
| - `backend/models/agent_templates.json` - Template defaults (5 instances) | |
| - `backend/agent.py` - Duplicate file (3 instances) | |
| - `backend/agent_schema.json` - Duplicate schema (3 instances) | |
| - `backend/agent_templates.json` - Duplicate templates (5 instances) | |
| ### Services (3 instances) | |
| - `backend/services/agent_manager_hybrid.py` - Default fallback | |
| - `backend/services/agent_manager_hybrid_fixed.py` - Default fallback | |
| - `backend/services/openrouter_integration.py` - Constructor default | |
| - `backend/openrouter_integration.py` - Duplicate file | |
| - `backend/agent_manager_hybrid.py` - Duplicate file | |
| - `backend/agent_manager_hybrid.py.backup` - Backup file | |
| - `backend/agent_manager_hybrid_fixed.py` - Duplicate file | |
| ### Scripts & Tests (1 instance) | |
| - `backend/scripts/test_colossus_integration.py` - Test API_KEY constant | |
| - `backend/test_colossus_integration.py` - Duplicate file | |
| ### Main Application (1 instance) | |
| - `backend/main.py` - Hardcoded openrouter_key variable | |
| ### Environment Template (2 instances) | |
| - `backend/.env.example` - **BOTH keys present** (may be acceptable for examples, but verify these are dummy keys first) | |
| ## Remediation Plan | |
| ### Option 1: Environment Variables (Recommended) | |
| **Replace all hardcoded keys with environment variable lookups:** | |
| ```python | |
| # BEFORE (agents/colossus_agent.py) | |
| api_key: str = "sk-dBoxml3krytIRLdjr35Lnw" | |
| # AFTER | |
| import os | |
| api_key: str = os.getenv("COLOSSUS_API_KEY", "") | |
| ``` | |
| ```python | |
| # BEFORE (config/settings.py) | |
| default="sk-dBoxml3krytIRLdjr35Lnw" | |
| # AFTER | |
| default=os.getenv("COLOSSUS_API_KEY", "") | |
| ``` | |
| ### Option 2: Remove Defaults Entirely (Most Secure) | |
| **Force explicit configuration, no fallbacks:** | |
| ```python | |
| # BEFORE | |
| api_key: str = "sk-dBoxml3krytIRLdjr35Lnw" | |
| # AFTER | |
| api_key: str # No default - must be provided explicitly | |
| ``` | |
| ### Option 3: Use Placeholder Values | |
| **Replace with obvious placeholders:** | |
| ```python | |
| # BEFORE | |
| api_key: str = "sk-dBoxml3krytIRLdjr35Lnw" | |
| # AFTER | |
| api_key: str = "YOUR_COLOSSUS_API_KEY_HERE" | |
| ``` | |
| ## Automated Remediation Script | |
| ```bash | |
| #!/bin/bash | |
| # cleanup-secrets.sh | |
| # Replace Colossus API key with environment variable | |
| find backend/ -type f -name "*.py" -exec sed -i \ | |
| 's/sk-dBoxml3krytIRLdjr35Lnw/os.getenv("COLOSSUS_API_KEY", "")/g' {} + | |
| # Replace OpenRouter API key with environment variable | |
| find backend/ -type f -name "*.py" -exec sed -i \ | |
| 's/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/os.getenv("OPENROUTER_API_KEY", "")/g' {} + | |
| # For JSON files - replace with placeholders | |
| find backend/ -type f -name "*.json" -exec sed -i \ | |
| 's/sk-dBoxml3krytIRLdjr35Lnw/YOUR_COLOSSUS_API_KEY_HERE/g' {} + | |
| find backend/ -type f -name "*.json" -exec sed -i \ | |
| 's/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/YOUR_OPENROUTER_API_KEY_HERE/g' {} + | |
| echo "β Secrets remediated - verify changes before committing" | |
| ``` | |
| ## Manual Review Required | |
| **Before running automated fixes:** | |
| 1. **Verify if these are real API keys or test keys** | |
| - If test keys: Can replace with placeholders | |
| - If real keys: **MUST invalidate/rotate immediately** | |
| 2. **Check .env.example** | |
| - If these are example keys: Acceptable to keep | |
| - If real keys: Replace with `YOUR_*_API_KEY_HERE` | |
| 3. **Add `import os` statements** | |
| - Python files using `os.getenv()` need `import os` at top | |
| ## Immediate Actions Required | |
| ### DO NOT: | |
| - β Push to GitHub without remediation | |
| - β Commit files with hardcoded keys | |
| - β Deploy code with hardcoded keys | |
| - β Share repository publicly | |
| ### DO: | |
| - β Review remediation options with team | |
| - β Decide on remediation strategy (Option 1, 2, or 3) | |
| - β Run remediation script OR manually fix | |
| - β Verify all fixes with `grep` scan | |
| - β Test application still works after remediation | |
| - β Rotate API keys if they are real/active keys | |
| - β Update .env.example with placeholders | |
| - β Commit remediated code only | |
| ## Verification After Remediation | |
| ```bash | |
| # Scan for remaining hardcoded keys | |
| grep -r -i "sk-or-v1\|sk-dBoxml" backend/ | |
| # Should return ZERO results (or only .env.example if using placeholders) | |
| # If any results found in code files, continue remediation | |
| ``` | |
| ## Post-Remediation Checklist | |
| - [ ] All hardcoded keys replaced in Python files | |
| - [ ] All hardcoded keys replaced in JSON files | |
| - [ ] .env.example contains only placeholders | |
| - [ ] No secrets in git history (we're starting fresh, so OK) | |
| - [ ] Application tested with environment variables | |
| - [ ] README updated with environment setup instructions | |
| - [ ] .gitignore verified (already created) | |
| - [ ] Final security scan clean | |
| ## Contact for Questions | |
| **Security Team:** | |
| - CTO Michael Wegener ([email protected]) | |
| **Master Thesis Supervisor:** | |
| - (Contact info) | |
| --- | |
| **REMEDIATION STATUS:** β³ PENDING | |
| **Last Updated:** 2025-11-11 12:46 CET | |
| **Action Owner:** Hanan (Master Student) | |