# 🚨 CRITICAL SECURITY REMEDIATION REQUIRED **Status:** ⛔ **DO NOT PUSH TO GITHUB YET** **Date:** 2025-11-11 **Severity:** CRITICAL ## Security Issue Discovered After importing source code from le-chantier, security scanning revealed **hardcoded API keys in 40+ files** scattered throughout the codebase. ## API Keys Found **Two API keys hardcoded in multiple locations:** 1. **Colossus API Key:** `sk-dBoxml3krytIRLdjr35Lnw` 2. **OpenRouter API Key:** `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` ## Affected Files (40+ instances) ### Agents (6 instances) - `backend/agents/colossus_agent.py` - Default api_key parameter - `backend/agents/colossus_saap_agent.py` - API_KEY constant - `backend/agents/openrouter_agent_enhanced.py` - API_KEY constant - `backend/agents/openrouter_saap_agent.py` - COLOSSUS_KEY constant ### API Clients (2 instances) - `backend/api/colossus_client.py` - Default api_key parameter - `backend/api/openrouter_client.py` - Hardcoded api_key variable ### Configuration (4 instances) - `backend/config/settings.py` - Default values for both keys (2 instances) - `backend/settings.py` - Duplicate default values (2 instances) ### Models & Schemas (12+ instances) - `backend/models/agent.py` - Template defaults (3 instances) - `backend/models/agent_schema.json` - Schema examples (3 instances) - `backend/models/agent_templates.json` - Template defaults (5 instances) - `backend/agent.py` - Duplicate file (3 instances) - `backend/agent_schema.json` - Duplicate schema (3 instances) - `backend/agent_templates.json` - Duplicate templates (5 instances) ### Services (3 instances) - `backend/services/agent_manager_hybrid.py` - Default fallback - `backend/services/agent_manager_hybrid_fixed.py` - Default fallback - `backend/services/openrouter_integration.py` - Constructor default - `backend/openrouter_integration.py` - Duplicate file - `backend/agent_manager_hybrid.py` - Duplicate file - `backend/agent_manager_hybrid.py.backup` - Backup file - `backend/agent_manager_hybrid_fixed.py` - Duplicate file ### Scripts & Tests (1 instance) - `backend/scripts/test_colossus_integration.py` - Test API_KEY constant - `backend/test_colossus_integration.py` - Duplicate file ### Main Application (1 instance) - `backend/main.py` - Hardcoded openrouter_key variable ### Environment Template (2 instances) - `backend/.env.example` - **BOTH keys present** (may be acceptable for examples, but verify these are dummy keys first) ## Remediation Plan ### Option 1: Environment Variables (Recommended) **Replace all hardcoded keys with environment variable lookups:** ```python # BEFORE (agents/colossus_agent.py) api_key: str = "sk-dBoxml3krytIRLdjr35Lnw" # AFTER import os api_key: str = os.getenv("COLOSSUS_API_KEY", "") ``` ```python # BEFORE (config/settings.py) default="sk-dBoxml3krytIRLdjr35Lnw" # AFTER default=os.getenv("COLOSSUS_API_KEY", "") ``` ### Option 2: Remove Defaults Entirely (Most Secure) **Force explicit configuration, no fallbacks:** ```python # BEFORE api_key: str = "sk-dBoxml3krytIRLdjr35Lnw" # AFTER api_key: str # No default - must be provided explicitly ``` ### Option 3: Use Placeholder Values **Replace with obvious placeholders:** ```python # BEFORE api_key: str = "sk-dBoxml3krytIRLdjr35Lnw" # AFTER api_key: str = "YOUR_COLOSSUS_API_KEY_HERE" ``` ## Automated Remediation Script ```bash #!/bin/bash # cleanup-secrets.sh # Replace Colossus API key with environment variable find backend/ -type f -name "*.py" -exec sed -i \ 's/sk-dBoxml3krytIRLdjr35Lnw/os.getenv("COLOSSUS_API_KEY", "")/g' {} + # Replace OpenRouter API key with environment variable find backend/ -type f -name "*.py" -exec sed -i \ 's/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/os.getenv("OPENROUTER_API_KEY", "")/g' {} + # For JSON files - replace with placeholders find backend/ -type f -name "*.json" -exec sed -i \ 's/sk-dBoxml3krytIRLdjr35Lnw/YOUR_COLOSSUS_API_KEY_HERE/g' {} + find backend/ -type f -name "*.json" -exec sed -i \ 's/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/YOUR_OPENROUTER_API_KEY_HERE/g' {} + echo "✅ Secrets remediated - verify changes before committing" ``` ## Manual Review Required **Before running automated fixes:** 1. **Verify if these are real API keys or test keys** - If test keys: Can replace with placeholders - If real keys: **MUST invalidate/rotate immediately** 2. **Check .env.example** - If these are example keys: Acceptable to keep - If real keys: Replace with `YOUR_*_API_KEY_HERE` 3. **Add `import os` statements** - Python files using `os.getenv()` need `import os` at top ## Immediate Actions Required ### DO NOT: - ❌ Push to GitHub without remediation - ❌ Commit files with hardcoded keys - ❌ Deploy code with hardcoded keys - ❌ Share repository publicly ### DO: - ✅ Review remediation options with team - ✅ Decide on remediation strategy (Option 1, 2, or 3) - ✅ Run remediation script OR manually fix - ✅ Verify all fixes with `grep` scan - ✅ Test application still works after remediation - ✅ Rotate API keys if they are real/active keys - ✅ Update .env.example with placeholders - ✅ Commit remediated code only ## Verification After Remediation ```bash # Scan for remaining hardcoded keys grep -r -i "sk-or-v1\|sk-dBoxml" backend/ # Should return ZERO results (or only .env.example if using placeholders) # If any results found in code files, continue remediation ``` ## Post-Remediation Checklist - [ ] All hardcoded keys replaced in Python files - [ ] All hardcoded keys replaced in JSON files - [ ] .env.example contains only placeholders - [ ] No secrets in git history (we're starting fresh, so OK) - [ ] Application tested with environment variables - [ ] README updated with environment setup instructions - [ ] .gitignore verified (already created) - [ ] Final security scan clean ## Contact for Questions **Security Team:** - CTO Michael Wegener (mw@satware.com) **Master Thesis Supervisor:** - (Contact info) --- **REMEDIATION STATUS:** ⏳ PENDING **Last Updated:** 2025-11-11 12:46 CET **Action Owner:** Hanan (Master Student)