security: remove all hardcoded API keys, require from environment

2026-02-11 21:33:18 +01:00
parent b36e5a33ea
commit 15675390ac
46 changed files with 107 additions and 107 deletions
--- a/docs/developer/api-authentication.md
+++ b/docs/developer/api-authentication.md
@@ -17,8 +17,8 @@ All AITBC API endpoints require authentication using API keys.

 ### Testing/Development
 For integration tests and development, these test keys are available:
- `REDACTED_CLIENT_KEY` - For client API access
- `REDACTED_MINER_KEY` - For miner registration
+- `${CLIENT_API_KEY}` - For client API access
+- `${MINER_API_KEY}` - For miner registration
 - `test-tenant` - Default tenant ID for testing

 ## Using API Keys
--- a/docs/done.md
+++ b/docs/done.md
@@ -271,7 +271,7 @@ This document tracks components that have been successfully deployed and are ope
  - Result submission now returns 200 OK instead of 500 Internal Server Error

 - ✅ **Miner Configuration Fix**
-  - Updated miner ID from `host-gpu-miner` to `REDACTED_MINER_KEY` for proper job assignment
+  - Updated miner ID from `host-gpu-miner` to `${MINER_API_KEY}` for proper job assignment
  - Added explicit flush logging handler for better systemd journal visibility
  - Enhanced systemd unit with unbuffered logging environment variables

--- a/docs/flowchart.md
+++ b/docs/flowchart.md
@@ -25,7 +25,7 @@ This document illustrates the complete flow of a job submission through the CLI
 1. Bash script (`aitbc-cli.sh`) parses arguments
 2. Sets environment variables:
   - `AITBC_URL=http://127.0.0.1:18000`
-   - `CLIENT_KEY=REDACTED_CLIENT_KEY`
+   - `CLIENT_KEY=${CLIENT_API_KEY}`
 3. Calls Python client: `python3 cli/client.py --url $AITBC_URL --api-key $CLIENT_KEY submit inference --prompt "..."`

 ### 2. Python Client Processing
@@ -40,7 +40,7 @@ This document illustrates the complete flow of a job submission through the CLI
     "type": "inference",
     "prompt": "What is machine learning?",
     "model": "llama3.2:latest",
-     "client_key": "REDACTED_CLIENT_KEY",
+     "client_key": "${CLIENT_API_KEY}",
     "timestamp": "2025-01-29T14:50:00Z"
   }
   ```
@@ -52,7 +52,7 @@ This document illustrates the complete flow of a job submission through the CLI
 POST /v1/jobs
 Host: 127.0.0.1:18000
 Content-Type: application/json
-X-Api-Key: REDACTED_CLIENT_KEY
+X-Api-Key: ${CLIENT_API_KEY}

 {
  "type": "inference",
@@ -84,7 +84,7 @@ X-Api-Key: REDACTED_CLIENT_KEY
   {
     "type": "submit_job",
     "job_id": "job_123456",
-     "client": "REDACTED_CLIENT_KEY",
+     "client": "${CLIENT_API_KEY}",
     "payload_hash": "abc123...",
     "reward": "100aitbc"
   }
@@ -110,14 +110,14 @@ X-Api-Key: REDACTED_CLIENT_KEY
 2. Miner selection algorithm runs:
   - Check available miners
   - Select based on stake, reputation, capacity
-3. Selected miner: `REDACTED_MINER_KEY`
+3. Selected miner: `${MINER_API_KEY}`

 **Coordinator → Miner Daemon (Port 18001):**
 ```http
 POST /v1/jobs/assign
 Host: 127.0.0.1:18001
 Content-Type: application/json
-X-Api-Key: REDACTED_ADMIN_KEY
+X-Api-Key: ${ADMIN_API_KEY}

 {
  "job_id": "job_123456",
@@ -183,7 +183,7 @@ Content-Type: application/json
 POST /v1/jobs/job_123456/complete
 Host: 127.0.0.1:18000
 Content-Type: application/json
-X-Miner-Key: REDACTED_MINER_KEY
+X-Miner-Key: ${MINER_API_KEY}

 {
  "job_id": "job_123456",
@@ -210,8 +210,8 @@ X-Miner-Key: REDACTED_MINER_KEY
   {
     "receipt_id": "receipt_789",
     "job_id": "job_123456",
-     "client": "REDACTED_CLIENT_KEY",
-     "miner": "REDACTED_MINER_KEY",
+     "client": "${CLIENT_API_KEY}",
+     "miner": "${MINER_API_KEY}",
     "amount_paid": "0.25aitbc",
     "result_hash": "hash_of_result",
     "block_height": 12345,
@@ -244,7 +244,7 @@ X-Miner-Key: REDACTED_MINER_KEY
 ```http
 GET /v1/jobs/job_123456
 Host: 127.0.0.1:18000
-X-Api-Key: REDACTED_CLIENT_KEY
+X-Api-Key: ${CLIENT_API_KEY}
 ```

 **Response:**
--- a/docs/operator/deployment/nginx-domain-setup.md
+++ b/docs/operator/deployment/nginx-domain-setup.md
@@ -117,7 +117,7 @@ incus exec aitbc -- systemctl reload nginx
 ```bash
 # Check each service
 curl -k https://aitbc.bubuit.net/api/health
-curl -k https://aitbc.bubuit.net/admin/stats -H "X-Api-Key: REDACTED_ADMIN_KEY"
+curl -k https://aitbc.bubuit.net/admin/stats -H "X-Api-Key: ${ADMIN_API_KEY}"
 curl -k https://aitbc.bubuit.net/rpc/head
 ```

--- a/docs/operator/deployment/run.md
+++ b/docs/operator/deployment/run.md
@@ -69,7 +69,7 @@ These instructions cover the newly scaffolded services. Install dependencies usi
   python - <<'PY'
   from aitbc_sdk import CoordinatorReceiptClient, verify_receipt

-   client = CoordinatorReceiptClient("http://localhost:8011", "REDACTED_CLIENT_KEY")
+   client = CoordinatorReceiptClient("http://localhost:8011", "${CLIENT_API_KEY}")
   receipt = client.fetch_latest("<job_id>")
   verification = verify_receipt(receipt)
   print("miner signature valid:", verification.miner_signature.valid)
--- a/docs/reference/bootstrap/coordinator_api.md
+++ b/docs/reference/bootstrap/coordinator_api.md
@@ -74,9 +74,9 @@ DATABASE_URL=sqlite:///./coordinator.db
 # or: DATABASE_URL=postgresql://user:pass@localhost:5432/aitbc

 # Auth
-CLIENT_API_KEYS=REDACTED_CLIENT_KEY,client_dev_key_2
-MINER_API_KEYS=REDACTED_MINER_KEY,miner_dev_key_2
-ADMIN_API_KEYS=REDACTED_ADMIN_KEY
+CLIENT_API_KEYS=${CLIENT_API_KEY},client_dev_key_2
+MINER_API_KEYS=${MINER_API_KEY},miner_dev_key_2
+ADMIN_API_KEYS=${ADMIN_API_KEY}

 # Security
 HMAC_SECRET=change_me
@@ -349,7 +349,7 @@ def match_next_job(miner):
 **Client creates a job**
 ```bash
 curl -sX POST http://127.0.0.1:8011/v1/jobs \
-  -H 'X-Api-Key: REDACTED_CLIENT_KEY' \
+  -H 'X-Api-Key: ${CLIENT_API_KEY}' \
  -H 'Idempotency-Key: 7d4a...' \
  -H 'Content-Type: application/json' \
  -d '{
@@ -361,12 +361,12 @@ curl -sX POST http://127.0.0.1:8011/v1/jobs \
 **Miner registers + polls**
 ```bash
 curl -sX POST http://127.0.0.1:8011/v1/miners/register \
-  -H 'X-Api-Key: REDACTED_MINER_KEY' \
+  -H 'X-Api-Key: ${MINER_API_KEY}' \
  -H 'Content-Type: application/json' \
  -d '{"capabilities":{"gpu":"RTX4060Ti","cuda":"12.3","vram_gb":16},"concurrency":2,"region":"eu-central"}'

 curl -i -sX POST http://127.0.0.1:8011/v1/miners/poll \
-  -H 'X-Api-Key: REDACTED_MINER_KEY' \
+  -H 'X-Api-Key: ${MINER_API_KEY}' \
  -H 'Content-Type: application/json' \
  -d '{"max_wait_seconds":10}'
 ```
@@ -374,7 +374,7 @@ curl -i -sX POST http://127.0.0.1:8011/v1/miners/poll \
 **Miner submits result**
 ```bash
 curl -sX POST http://127.0.0.1:8011/v1/miners/<JOB_ID>/result \
-  -H 'X-Api-Key: REDACTED_MINER_KEY' \
+  -H 'X-Api-Key: ${MINER_API_KEY}' \
  -H 'Content-Type: application/json' \
  -d '{"result":{"sum":5},"metrics":{"latency_ms":42}}'
 ```
@@ -382,7 +382,7 @@ curl -sX POST http://127.0.0.1:8011/v1/miners/<JOB_ID>/result \
 **Client fetches result**
 ```bash
 curl -s http://127.0.0.1:8011/v1/jobs/<JOB_ID>/result \
-  -H 'X-Api-Key: REDACTED_CLIENT_KEY'
+  -H 'X-Api-Key: ${CLIENT_API_KEY}'
 ```

 ---
--- a/docs/reference/components/miner_node.md
+++ b/docs/reference/components/miner_node.md
@@ -11,7 +11,7 @@
 - ✅ Deployed real GPU miner on host with NVIDIA RTX 4060 Ti (16GB)
 - ✅ Integrated Ollama for LLM inference across 13+ models
 - ✅ Configured systemd service (`aitbc-host-gpu-miner.service`)
- ✅ Fixed miner ID configuration (REDACTED_MINER_KEY)
+- ✅ Fixed miner ID configuration (${MINER_API_KEY})
 - ✅ Enhanced logging with flush handlers for systemd journal visibility
 - ✅ Verified end-to-end workflow: job polling → Ollama inference → result submission → receipt generation

@@ -24,7 +24,7 @@

 ### Integration Points
 - Coordinator API: http://127.0.0.1:18000 (via Incus proxy)
- Miner ID: REDACTED_MINER_KEY
+- Miner ID: ${MINER_API_KEY}
 - Heartbeat interval: 15 seconds
 - Job polling: 3-second intervals
 - Result submission: JSON with metrics and execution details
--- a/docs/reports/AITBC_PAYMENT_ARCHITECTURE.md
+++ b/docs/reports/AITBC_PAYMENT_ARCHITECTURE.md
@@ -98,7 +98,7 @@ CREATE TABLE job_payments (
 ### 1. Client Creates Job
 ```bash
 curl -X POST http://localhost:18000/v1/jobs \
-  -H "X-Api-Key: REDACTED_CLIENT_KEY" \
+  -H "X-Api-Key: ${CLIENT_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "payload": {
@@ -124,7 +124,7 @@ curl -X POST http://localhost:18000/v1/jobs \
 ### 3. Job Completion & Payment Release
 ```bash
 curl -X POST http://localhost:18000/v1/payments/pay456/release \
-  -H "X-Api-Key: REDACTED_CLIENT_KEY" \
+  -H "X-Api-Key: ${CLIENT_API_KEY}" \
  -d '{"job_id": "abc123", "reason": "Job completed"}'
 ```

--- a/docs/reports/INTEGRATION_TEST_FIXES.md
+++ b/docs/reports/INTEGRATION_TEST_FIXES.md
@@ -22,7 +22,7 @@

 ### 4. Missing API Keys
 - **Problem**: Some requests were missing the required `X-Api-Key` header
- **Solution**: Added `X-Api-Key: REDACTED_CLIENT_KEY` to all requests
+- **Solution**: Added `X-Api-Key: ${CLIENT_API_KEY}` to all requests

 ### 5. Non-existent Endpoints
 - **Problem**: Tests were calling endpoints that don't exist (e.g., `/v1/jobs/{id}/complete`)
--- a/docs/reports/TESTING_STATUS_REPORT.md
+++ b/docs/reports/TESTING_STATUS_REPORT.md
@@ -112,9 +112,9 @@ python -m pytest -m integration

 ### Authentication Issues?
 - Use correct API keys:
-  - Client: `REDACTED_CLIENT_KEY`
-  - Miner: `REDACTED_MINER_KEY`
-  - Admin: `REDACTED_ADMIN_KEY`
+  - Client: `${CLIENT_API_KEY}`
+  - Miner: `${MINER_API_KEY}`
+  - Admin: `${ADMIN_API_KEY}`

 ## 📝 Next Steps

--- a/docs/roadmap.md
+++ b/docs/roadmap.md
@@ -390,7 +390,7 @@ This roadmap aggregates high-priority tasks derived from the bootstrap specifica
  - ✅ Validate receipt payload structure and signature generation

 - **Miner Configuration & Optimization**
-  - ✅ Fix miner ID mismatch (host-gpu-miner → REDACTED_MINER_KEY)
+  - ✅ Fix miner ID mismatch (host-gpu-miner → ${MINER_API_KEY})
  - ✅ Enhance logging with explicit flush handlers for systemd journal
  - ✅ Configure unbuffered Python logging environment variables
  - ✅ Create systemd service unit with proper environment configuration