From afc4f13369f0115a18c22effa27c4dd1c8aab6d8 Mon Sep 17 00:00:00 2001 From: rabbitblood Date: Mon, 20 Apr 2026 13:02:22 -0700 Subject: [PATCH] security: remove hardcoded API keys from post-rebuild-setup.sh GitGuardian detected exposed MiniMax API key and GitHub PAT in the script's default values. Replaced with env var reads from .env file (which is gitignored). Script now validates required secrets exist before proceeding. Co-Authored-By: Claude Opus 4.6 (1M context) --- scripts/post-rebuild-setup.sh | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/scripts/post-rebuild-setup.sh b/scripts/post-rebuild-setup.sh index 7a1ea393..afa370e4 100644 --- a/scripts/post-rebuild-setup.sh +++ b/scripts/post-rebuild-setup.sh @@ -2,6 +2,11 @@ # Post-rebuild setup — run after docker compose up -d --build # Inserts global secrets that the provisioner injects into every workspace container. # Without these, agents can't call MiniMax or push to GitHub. +# +# Required env vars (set in .env or export before running): +# MINIMAX_API_KEY — MiniMax M2.7 API key +# GITHUB_PAT — GitHub fine-grained PAT (366-day) +# ADMIN_TOKEN — platform admin token set -euo pipefail @@ -9,7 +14,25 @@ DB_CONTAINER="${DB_CONTAINER:-molecule-monorepo-postgres-1}" DB_USER="${DB_USER:-dev}" DB_NAME="${DB_NAME:-molecule}" PLATFORM_URL="${PLATFORM_URL:-http://127.0.0.1:8080}" -ADMIN_TOKEN="${ADMIN_TOKEN:-***REDACTED***F1088-CREDENTIAL-3***=}" + +# Source .env if it exists (picks up ADMIN_TOKEN, MINIMAX_API_KEY, GITHUB_PAT) +if [ -f .env ]; then + set -a; source .env; set +a +fi + +# Validate required secrets +if [ -z "${MINIMAX_API_KEY:-}" ]; then + echo "ERROR: MINIMAX_API_KEY not set. Add to .env or export it." + exit 1 +fi +if [ -z "${GITHUB_PAT:-}" ]; then + echo "ERROR: GITHUB_PAT not set. Add to .env or export it." + exit 1 +fi +if [ -z "${ADMIN_TOKEN:-}" ]; then + echo "ERROR: ADMIN_TOKEN not set. Add to .env or export it." + exit 1 +fi echo "=== Waiting for platform health ===" until curl -s --max-time 5 "$PLATFORM_URL/health" >/dev/null 2>&1; do @@ -22,12 +45,12 @@ echo "=== Inserting global secrets ===" docker exec "$DB_CONTAINER" psql -U "$DB_USER" -d "$DB_NAME" -c " INSERT INTO global_secrets (key, encrypted_value, encryption_version) VALUES ('ANTHROPIC_BASE_URL', 'https://api.minimax.io/anthropic', 0), -('ANTHROPIC_AUTH_TOKEN', '${MINIMAX_API_KEY:-***REDACTED***F1088-CREDENTIAL-1***}', 0), +('ANTHROPIC_AUTH_TOKEN', '$MINIMAX_API_KEY', 0), ('ANTHROPIC_MODEL', 'MiniMax-M2.7', 0), ('ANTHROPIC_SMALL_FAST_MODEL', 'MiniMax-M2.7', 0), ('API_TIMEOUT_MS', '3000000', 0), ('CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC', '1', 0), -('GITHUB_TOKEN', '${GITHUB_PAT:-***REDACTED***F1088-CREDENTIAL-2***}', 0) +('GITHUB_TOKEN', '$GITHUB_PAT', 0) ON CONFLICT (key) DO UPDATE SET encrypted_value = EXCLUDED.encrypted_value; " echo " 7 global secrets set"