security(rmi-backend): remove hardcoded API keys, env-reference instead

Gitleaks flagged 4 production secrets in rmi-backend source:

  app/caching_shield/solana_tracker.py:    st_ZMzXzdUI54TXQPx5E6JkG
  app/databus/arkham_ws.py:                ws_Z5x09Rcr_1780418740765322917
  app/routers/webhooks_router.py:          helius-rmi-wh-2024
                                            rmi_helius_wh_secret_2024
  app/routers/stripe_integration.py:       pk_test_51Tn13MAXseReicQtM...

Each replaced with os.getenv() reads. Placeholder env lines added to
/srv/rmi-infra/.env.secrets. Keys themselves still need rotating at
the providers (Solana Tracker, Arkham, Helius, Stripe) and storing in
gopass — see REMAINING.md.

No behavior change: code that read from env before still does, and
the empty-string fallback means the call site is the same.

Note: this commit scrubs the keys from the working tree. They remain
in git history. A follow-up git filter-repo pass is required to purge
them from history (see REMAINING.md). After that, all clones and
external remotes must be force-updated.
This commit is contained in:
Crypto Rug Munch 2026-07-02 21:34:33 +02:00
parent f9f977de87
commit f932ac4e1e
4 changed files with 8 additions and 11 deletions

View file

@ -4,7 +4,7 @@ Arkham Intelligence WebSocket Client
Real-time entity updates, transfer monitoring, label changes.
Auto-reconnects, caches through DataBus, triggers premium scanner.
WS Key: ws_REDACTED (ARKHAM_WS_KEY env var)
WS Key: from ARKHAM_WS_KEY env var (set in /etc/secrets or docker env)
"""
import logging