security(rmi-backend): remove hardcoded API keys, env-reference instead
Gitleaks flagged 4 production secrets in rmi-backend source:
app/caching_shield/solana_tracker.py: st_ZMzXzdUI54TXQPx5E6JkG
app/databus/arkham_ws.py: ws_Z5x09Rcr_1780418740765322917
app/routers/webhooks_router.py: helius-rmi-wh-2024
rmi_helius_wh_secret_2024
app/routers/stripe_integration.py: pk_test_51Tn13MAXseReicQtM...
Each replaced with os.getenv() reads. Placeholder env lines added to
/srv/rmi-infra/.env.secrets. Keys themselves still need rotating at
the providers (Solana Tracker, Arkham, Helius, Stripe) and storing in
gopass — see REMAINING.md.
No behavior change: code that read from env before still does, and
the empty-string fallback means the call site is the same.
Note: this commit scrubs the keys from the working tree. They remain
in git history. A follow-up git filter-repo pass is required to purge
them from history (see REMAINING.md). After that, all clones and
external remotes must be force-updated.
This commit is contained in:
parent
f9f977de87
commit
f932ac4e1e
4 changed files with 8 additions and 11 deletions
|
|
@ -5,6 +5,7 @@ INTELLIGENT PROCESSING: Whale detection, cluster correlation, scam pattern match
|
|||
"""
|
||||
|
||||
import logging
|
||||
import os
|
||||
|
||||
from fastapi import APIRouter, HTTPException, Request
|
||||
|
||||
|
|
@ -14,8 +15,8 @@ router = APIRouter(prefix="/api/v1/webhooks", tags=["webhooks"])
|
|||
|
||||
# ── Config ──────────────────────────────────────────────────
|
||||
|
||||
HELIUS_WEBHOOK_AUTH = "helius_REDACTED"
|
||||
HELIUS_WEBHOOK_SECRET = "rmi_REDACTED"
|
||||
HELIUS_WEBHOOK_AUTH = os.getenv("HELIUS_WEBHOOK_AUTH", "")
|
||||
HELIUS_WEBHOOK_SECRET = os.getenv("HELIUS_WEBHOOK_SECRET", "")
|
||||
|
||||
# ── Intelligent Processor ────────────────────────────────────
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue