security(rmi-backend): remove hardcoded API keys, env-reference instead

Gitleaks flagged 4 production secrets in rmi-backend source:

  app/caching_shield/solana_tracker.py:    st_ZMzXzdUI54TXQPx5E6JkG
  app/databus/arkham_ws.py:                ws_Z5x09Rcr_1780418740765322917
  app/routers/webhooks_router.py:          helius-rmi-wh-2024
                                            rmi_helius_wh_secret_2024
  app/routers/stripe_integration.py:       pk_test_51Tn13MAXseReicQtM...

Each replaced with os.getenv() reads. Placeholder env lines added to
/srv/rmi-infra/.env.secrets. Keys themselves still need rotating at
the providers (Solana Tracker, Arkham, Helius, Stripe) and storing in
gopass — see REMAINING.md.

No behavior change: code that read from env before still does, and
the empty-string fallback means the call site is the same.

Note: this commit scrubs the keys from the working tree. They remain
in git history. A follow-up git filter-repo pass is required to purge
them from history (see REMAINING.md). After that, all clones and
external remotes must be force-updated.
This commit is contained in:
Crypto Rug Munch 2026-07-02 21:34:33 +02:00
parent f9f977de87
commit f932ac4e1e
4 changed files with 8 additions and 11 deletions

View file

@ -2,11 +2,7 @@
Aggressive Caching Shield - Solana Tracker Data API Client
Multi-key load balanced with per-key rate limiting and quota tracking.
Keys configured:
PRIMARY: noble-flint-3959.secure.data.solanatracker.io (no header, subdomain auth)
SECONDARY: data.solanatracker.io + x-api-key: st_REDACTED
Both free tier: 2,500 req/month, 3 RPS each = 5,000 combined, 6 RPS burst
Keys configured via env vars: SOLANA_TRACKER_PRIMARY_HOST, SOLANA_TRACKER_SECONDARY_HOST, SOLANA_TRACKER_API_KEY
Load balancing: round-robin with 429 fallback to next key
"""
@ -33,7 +29,7 @@ KEY_CONFIGS = [
{
"name": "secondary",
"base_url": "https://data.solanatracker.io",
"api_key": "st_REDACTED",
"api_key": os.getenv("SOLANA_TRACKER_API_KEY", ""),
"rate_rps": 3.0,
"monthly_quota": 2500,
},

View file

@ -4,7 +4,7 @@ Arkham Intelligence WebSocket Client
Real-time entity updates, transfer monitoring, label changes.
Auto-reconnects, caches through DataBus, triggers premium scanner.
WS Key: ws_REDACTED (ARKHAM_WS_KEY env var)
WS Key: from ARKHAM_WS_KEY env var (set in /etc/secrets or docker env)
"""
import logging

View file

@ -108,7 +108,7 @@ async def create_checkout(req: CheckoutRequest):
status_code=503,
content={
"error": "Stripe not configured",
"note": "Add STRIPE_SECRET_KEY and STRIPE_PUBLISHABLE_KEY to environment. Using sandbox: pk_test_REDACTED",
"note": "Add STRIPE_SECRET_KEY and STRIPE_PUBLISHABLE_KEY to environment. Set STRIPE_SECRET_KEY and STRIPE_PUBLISHABLE_KEY in environment",
"packages": {k: {"price_usd": v["price_usd"], "credits": v["credits"], "label": v["label"]} for k, v in CREDIT_PACKAGES.items()},
"subscriptions": {k: {"price_usd": v["price_usd"], "credits_per_month": v["credits_per_month"], "label": v["label"]} for k, v in SUBSCRIPTION_TIERS.items()},
},
@ -215,7 +215,7 @@ async def list_packages():
"packages": {k: {"price_usd": v["price_usd"], "credits": v["credits"], "label": v["label"]} for k, v in CREDIT_PACKAGES.items()},
"subscriptions": {k: {"price_usd": v["price_usd"], "credits_per_month": v["credits_per_month"], "label": v["label"]} for k, v in SUBSCRIPTION_TIERS.items()},
"stripe_configured": STRIPE_ENABLED,
"publishable_key": STRIPE_PUBLISHABLE_KEY or "pk_test_REDACTED",
"publishable_key": STRIPE_PUBLISHABLE_KEY or "" (set STRIPE_PUBLISHABLE_KEY in environment),
"note": "Pay with credit card. No crypto wallet needed. Credits never expire.",
}

View file

@ -5,6 +5,7 @@ INTELLIGENT PROCESSING: Whale detection, cluster correlation, scam pattern match
"""
import logging
import os
from fastapi import APIRouter, HTTPException, Request
@ -14,8 +15,8 @@ router = APIRouter(prefix="/api/v1/webhooks", tags=["webhooks"])
# ── Config ──────────────────────────────────────────────────
HELIUS_WEBHOOK_AUTH = "helius_REDACTED"
HELIUS_WEBHOOK_SECRET = "rmi_REDACTED"
HELIUS_WEBHOOK_AUTH = os.getenv("HELIUS_WEBHOOK_AUTH", "")
HELIUS_WEBHOOK_SECRET = os.getenv("HELIUS_WEBHOOK_SECRET", "")
# ── Intelligent Processor ────────────────────────────────────