security: remove all hardcoded API keys, require from environment

apps/coordinator-api/.env.example

@@ -2,9 +2,9 @@ APP_ENV=dev
 APP_HOST=127.0.0.1
 APP_PORT=8011
 DATABASE_URL=sqlite:///./coordinator.db
-CLIENT_API_KEYS=REDACTED_CLIENT_KEY,client_dev_key_2
-MINER_API_KEYS=REDACTED_MINER_KEY,miner_dev_key_2
-ADMIN_API_KEYS=REDACTED_ADMIN_KEY
+CLIENT_API_KEYS=${CLIENT_API_KEY},client_dev_key_2
+MINER_API_KEYS=${MINER_API_KEY},miner_dev_key_2
+ADMIN_API_KEYS=${ADMIN_API_KEY}
 HMAC_SECRET=change_me
 ALLOW_ORIGINS=*
 JOB_TTL_SECONDS=900

apps/coordinator-api/src/app/config.py

@@ -11,9 +11,9 @@ class Settings(BaseSettings):
 
     database_url: str = "sqlite:///./coordinator.db"
 
-    client_api_keys: List[str] = ["REDACTED_CLIENT_KEY"]
-    miner_api_keys: List[str] = ["REDACTED_MINER_KEY"]
-    admin_api_keys: List[str] = ["REDACTED_ADMIN_KEY"]
+    client_api_keys: List[str] = []
+    miner_api_keys: List[str] = []
+    admin_api_keys: List[str] = []
 
     hmac_secret: Optional[str] = None
     allow_origins: List[str] = ["*"]

apps/coordinator-api/tests/test_client_receipts.py

@@ -26,7 +26,7 @@ def test_receipt_endpoint_returns_signed_receipt(test_client: TestClient):
     resp = test_client.post(
         "/v1/miners/register",
         json={"capabilities": {"price": 1}, "concurrency": 1},
-        headers={"X-Api-Key": "REDACTED_MINER_KEY"},
+        headers={"X-Api-Key": "${MINER_API_KEY}"},
     )
     assert resp.status_code == 200
 
@@ -37,7 +37,7 @@ def test_receipt_endpoint_returns_signed_receipt(test_client: TestClient):
     resp = test_client.post(
         "/v1/jobs",
         json=job_payload,
-        headers={"X-Api-Key": "REDACTED_CLIENT_KEY"},
+        headers={"X-Api-Key": "${CLIENT_API_KEY}"},
     )
     assert resp.status_code == 201
     job_id = resp.json()["job_id"]
@@ -46,7 +46,7 @@ def test_receipt_endpoint_returns_signed_receipt(test_client: TestClient):
     poll_resp = test_client.post(
         "/v1/miners/poll",
         json={"max_wait_seconds": 1},
-        headers={"X-Api-Key": "REDACTED_MINER_KEY"},
+        headers={"X-Api-Key": "${MINER_API_KEY}"},
     )
     assert poll_resp.status_code in (200, 204)
 
@@ -58,7 +58,7 @@ def test_receipt_endpoint_returns_signed_receipt(test_client: TestClient):
     result_resp = test_client.post(
         f"/v1/miners/{job_id}/result",
         json=result_payload,
-        headers={"X-Api-Key": "REDACTED_MINER_KEY"},
+        headers={"X-Api-Key": "${MINER_API_KEY}"},
     )
     assert result_resp.status_code == 200
     signed_receipt = result_resp.json()["receipt"]
@@ -67,7 +67,7 @@ def test_receipt_endpoint_returns_signed_receipt(test_client: TestClient):
     # fetch receipt via client endpoint
     receipt_resp = test_client.get(
         f"/v1/jobs/{job_id}/receipt",
-        headers={"X-Api-Key": "REDACTED_CLIENT_KEY"},
+        headers={"X-Api-Key": "${CLIENT_API_KEY}"},
     )
     assert receipt_resp.status_code == 200
     payload = receipt_resp.json()

apps/trade-exchange/index.html

@@ -812,7 +812,7 @@
                 // Display demo offers
                 displayGPUOffers([{
                     id: '1',
-                    provider: 'REDACTED_MINER_KEY',
+                    provider: '${MINER_API_KEY}',
                     capacity: 1,
                     price: 50,
                     attributes: {

apps/wallet-daemon/src/app/settings.py

@@ -13,7 +13,7 @@ class Settings(BaseSettings):
     debug: bool = Field(default=False)
 
     coordinator_base_url: str = Field(default="http://localhost:8011", alias="COORDINATOR_BASE_URL")
-    coordinator_api_key: str = Field(default="REDACTED_CLIENT_KEY", alias="COORDINATOR_API_KEY")
+    coordinator_api_key: str = Field(default="${CLIENT_API_KEY}", alias="COORDINATOR_API_KEY")
 
     rest_prefix: str = Field(default="/v1", alias="REST_PREFIX")
     ledger_db_path: Path = Field(default=Path("./data/wallet_ledger.db"), alias="LEDGER_DB_PATH")