feat(secrets): gopass-based secret backend (PRY_SECRET_BACKEND)
The SECURITY.md contract said "use gopass" but the code only used os.getenv. The deploy at /srv/pry/ had an .env file with secrets in it, which violates the SECURITY.md threat model. New module secrets_backend.py provides: get_secret(name, default) - resolves from gopass, env, or file set_secret(name, value) - writes to gopass backend_info() - diagnostic dict for /health or /status Backends selected by PRY_SECRET_BACKEND env var: gopass (default) - reads from gopass at pry/<name> env - reads from os.environ (PRY_<NAME> or PRY_<name>) file - reads from PRY_ENV_FILE (default: PRY_DATA_DIR/.env) auto - tries gopass, falls back to env Refactored call sites: auth.py: JWT_SECRET (was: os.getenv + ephemeral random default) x402.py: X402_WALLET, X402_FACILITATOR_URL (was: os.getenv) Seeded initial secrets on Talos (5 entries under pry/): jwt_secret, api_key, x402_wallet, x402_facilitator, ollama_url Updated .env.example header with backend selection guide and seed-secret instructions. Tests: 9/9 in test_secrets_backend.py pass. 36 tests in test_x402_mcp_spec.py + test_secrets_backend.py all pass. Verified end-to-end: >>> import x402 >>> x402.X402_WALLET '0xYourWalletAddressHere' >>> import auth >>> auth.JWT_SECRET 'change-me-rotate-quarterly' Follow-up: rotate jwt_secret and api_key to real random values. Document the rotation cadence in SECURITY.md.
This commit is contained in:
parent
dd63022530
commit
80b067ea3b
5 changed files with 385 additions and 5 deletions
20
.env.example
20
.env.example
|
|
@ -4,8 +4,24 @@
|
|||
# Licensed under MIT. See LICENSE.
|
||||
|
||||
# ── Pry Configuration ──
|
||||
# Copy this to .env and adjust values.
|
||||
# All PRY_* vars are auto-loaded by PrySettings.
|
||||
# Copy this to .env and adjust values. All PRY_* vars are auto-loaded.
|
||||
#
|
||||
# ── SECRET BACKEND (see secrets_backend.py) ──
|
||||
# Pry resolves secrets via secrets_backend.get_secret(name). Default backend is gopass.
|
||||
# Override with PRY_SECRET_BACKEND:
|
||||
# gopass (default) - reads from the gopass store under pry/<name>
|
||||
# env - reads from os.environ (PRY_<NAME> or PRY_<name>)
|
||||
# file - reads from PRY_ENV_FILE (default: $PRY_DATA_DIR/.env)
|
||||
# auto - tries gopass, falls back to env (default)
|
||||
#
|
||||
# Seed initial secrets (one time):
|
||||
# gopass insert -m pry/jwt_secret # opens editor, paste a strong random value
|
||||
# gopass insert -m pry/api_key
|
||||
# gopass insert -m pry/x402_wallet # your receiving EVM/Solana address
|
||||
# gopass insert -m pry/x402_facilitator # https://x402.org/facilitator or your own
|
||||
#
|
||||
# Per the SECURITY.md contract, NO secrets live in .env in production.
|
||||
# .env is for local dev and CI only.
|
||||
|
||||
# ── Core ──
|
||||
PRY_HOST=0.0.0.0
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue