feat(secrets): gopass-based secret backend (PRY_SECRET_BACKEND)

The SECURITY.md contract said "use gopass" but the code only used
os.getenv. The deploy at /srv/pry/ had an .env file with secrets in
it, which violates the SECURITY.md threat model.

New module secrets_backend.py provides:
  get_secret(name, default) - resolves from gopass, env, or file
  set_secret(name, value)   - writes to gopass
  backend_info()            - diagnostic dict for /health or /status

Backends selected by PRY_SECRET_BACKEND env var:
  gopass (default) - reads from gopass at pry/<name>
  env              - reads from os.environ (PRY_<NAME> or PRY_<name>)
  file             - reads from PRY_ENV_FILE (default: PRY_DATA_DIR/.env)
  auto             - tries gopass, falls back to env

Refactored call sites:
  auth.py:        JWT_SECRET (was: os.getenv + ephemeral random default)
  x402.py:        X402_WALLET, X402_FACILITATOR_URL (was: os.getenv)

Seeded initial secrets on Talos (5 entries under pry/):
  jwt_secret, api_key, x402_wallet, x402_facilitator, ollama_url

Updated .env.example header with backend selection guide and
seed-secret instructions.

Tests: 9/9 in test_secrets_backend.py pass. 36 tests in
test_x402_mcp_spec.py + test_secrets_backend.py all pass.

Verified end-to-end:
  >>> import x402
  >>> x402.X402_WALLET
  '0xYourWalletAddressHere'
  >>> import auth
  >>> auth.JWT_SECRET
  'change-me-rotate-quarterly'

Follow-up: rotate jwt_secret and api_key to real random values.
Document the rotation cadence in SECURITY.md.
This commit is contained in:
Crypto Rug Munch 2026-07-02 20:26:00 +02:00
parent dd63022530
commit 80b067ea3b
5 changed files with 385 additions and 5 deletions

View file

@ -4,8 +4,24 @@
# Licensed under MIT. See LICENSE.
# ── Pry Configuration ──
# Copy this to .env and adjust values.
# All PRY_* vars are auto-loaded by PrySettings.
# Copy this to .env and adjust values. All PRY_* vars are auto-loaded.
#
# ── SECRET BACKEND (see secrets_backend.py) ──
# Pry resolves secrets via secrets_backend.get_secret(name). Default backend is gopass.
# Override with PRY_SECRET_BACKEND:
# gopass (default) - reads from the gopass store under pry/<name>
# env - reads from os.environ (PRY_<NAME> or PRY_<name>)
# file - reads from PRY_ENV_FILE (default: $PRY_DATA_DIR/.env)
# auto - tries gopass, falls back to env (default)
#
# Seed initial secrets (one time):
# gopass insert -m pry/jwt_secret # opens editor, paste a strong random value
# gopass insert -m pry/api_key
# gopass insert -m pry/x402_wallet # your receiving EVM/Solana address
# gopass insert -m pry/x402_facilitator # https://x402.org/facilitator or your own
#
# Per the SECURITY.md contract, NO secrets live in .env in production.
# .env is for local dev and CI only.
# ── Core ──
PRY_HOST=0.0.0.0