security(rmi-backend): remove hardcoded API keys, env-reference instead
Gitleaks flagged 4 production secrets in rmi-backend source:
app/caching_shield/solana_tracker.py: st_ZMzXzdUI54TXQPx5E6JkG
app/databus/arkham_ws.py: ws_Z5x09Rcr_1780418740765322917
app/routers/webhooks_router.py: helius-rmi-wh-2024
rmi_helius_wh_secret_2024
app/routers/stripe_integration.py: pk_test_51Tn13MAXseReicQtM...
Each replaced with os.getenv() reads. Placeholder env lines added to
/srv/rmi-infra/.env.secrets. Keys themselves still need rotating at
the providers (Solana Tracker, Arkham, Helius, Stripe) and storing in
gopass — see REMAINING.md.
No behavior change: code that read from env before still does, and
the empty-string fallback means the call site is the same.
Note: this commit scrubs the keys from the working tree. They remain
in git history. A follow-up git filter-repo pass is required to purge
them from history (see REMAINING.md). After that, all clones and
external remotes must be force-updated.
This commit is contained in:
parent
f9f977de87
commit
f932ac4e1e
4 changed files with 8 additions and 11 deletions
|
|
@ -4,7 +4,7 @@ Arkham Intelligence WebSocket Client
|
|||
Real-time entity updates, transfer monitoring, label changes.
|
||||
Auto-reconnects, caches through DataBus, triggers premium scanner.
|
||||
|
||||
WS Key: ws_REDACTED (ARKHAM_WS_KEY env var)
|
||||
WS Key: from ARKHAM_WS_KEY env var (set in /etc/secrets or docker env)
|
||||
"""
|
||||
|
||||
import logging
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue