security: remove hardcoded API keys from post-rebuild-setup.sh

GitGuardian detected exposed MiniMax API key and GitHub PAT in the script's default values. Replaced with env var reads from .env file (which is gitignored). Script now validates required secrets exist before proceeding. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-20 13:02:22 -07:00 · 2026-04-20 13:02:22 -07:00 · afc4f13369
commit afc4f13369
parent b9da64d147
1 changed files with 26 additions and 3 deletions
--- a/scripts/post-rebuild-setup.sh
+++ b/scripts/post-rebuild-setup.sh
@ -2,6 +2,11 @@
 # Post-rebuild setup — run after docker compose up -d --build
 # Inserts global secrets that the provisioner injects into every workspace container.
 # Without these, agents can't call MiniMax or push to GitHub.
+#
+# Required env vars (set in .env or export before running):
+#   MINIMAX_API_KEY  — MiniMax M2.7 API key
+#   GITHUB_PAT       — GitHub fine-grained PAT (366-day)
+#   ADMIN_TOKEN      — platform admin token

 set -euo pipefail

@ -9,7 +14,25 @@ DB_CONTAINER="${DB_CONTAINER:-molecule-monorepo-postgres-1}"
 DB_USER="${DB_USER:-dev}"
 DB_NAME="${DB_NAME:-molecule}"
 PLATFORM_URL="${PLATFORM_URL:-http://127.0.0.1:8080}"
-ADMIN_TOKEN="${ADMIN_TOKEN:-***REDACTED***F1088-CREDENTIAL-3***=}"
+
+# Source .env if it exists (picks up ADMIN_TOKEN, MINIMAX_API_KEY, GITHUB_PAT)
+if [ -f .env ]; then
+    set -a; source .env; set +a
+fi
+
+# Validate required secrets
+if [ -z "${MINIMAX_API_KEY:-}" ]; then
+    echo "ERROR: MINIMAX_API_KEY not set. Add to .env or export it."
+    exit 1
+fi
+if [ -z "${GITHUB_PAT:-}" ]; then
+    echo "ERROR: GITHUB_PAT not set. Add to .env or export it."
+    exit 1
+fi
+if [ -z "${ADMIN_TOKEN:-}" ]; then
+    echo "ERROR: ADMIN_TOKEN not set. Add to .env or export it."
+    exit 1
+fi

 echo "=== Waiting for platform health ==="
 until curl -s --max-time 5 "$PLATFORM_URL/health" >/dev/null 2>&1; do
@ -22,12 +45,12 @@ echo "=== Inserting global secrets ==="
 docker exec "$DB_CONTAINER" psql -U "$DB_USER" -d "$DB_NAME" -c "
 INSERT INTO global_secrets (key, encrypted_value, encryption_version) VALUES
 ('ANTHROPIC_BASE_URL', 'https://api.minimax.io/anthropic', 0),
-('ANTHROPIC_AUTH_TOKEN', '${MINIMAX_API_KEY:-***REDACTED***F1088-CREDENTIAL-1***}', 0),
+('ANTHROPIC_AUTH_TOKEN', '$MINIMAX_API_KEY', 0),
 ('ANTHROPIC_MODEL', 'MiniMax-M2.7', 0),
 ('ANTHROPIC_SMALL_FAST_MODEL', 'MiniMax-M2.7', 0),
 ('API_TIMEOUT_MS', '3000000', 0),
 ('CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC', '1', 0),
-('GITHUB_TOKEN', '${GITHUB_PAT:-***REDACTED***F1088-CREDENTIAL-2***}', 0)
+('GITHUB_TOKEN', '$GITHUB_PAT', 0)
 ON CONFLICT (key) DO UPDATE SET encrypted_value = EXCLUDED.encrypted_value;
 "
 echo "  7 global secrets set"