Skip to content

security: remove hardcoded API keys and environment setup #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MikeVenge wants to merge 1 commit into
base: main
Choose a base branch
from
Open

security: remove hardcoded API keys and environment setup #1

MikeVenge wants to merge 1 commit into from

Conversation

@MikeVenge
Copy link
Owner

@MikeVenge MikeVenge commented Dec 19, 2025

Summary

Removes all hardcoded Fireworks AI API keys from codebase and implements secure environment variable-based configuration. Adds comprehensive security documentation and enhanced git ignore patterns to prevent future credential leaks.

Changes

  • Replaced hardcoded API keys with FIREWORKS_API_KEY environment variable in Python and shell scripts
  • Added validation and helpful error messages when API key is missing
  • Enhanced .gitignore with comprehensive credential file patterns (*.env, *.key, *.pem, secrets/, etc.)
  • Updated 6 documentation files to use placeholders and reference secure key management
  • Created SECURITY_MIGRATION.md with complete remediation guide covering key revocation, generation, git history scrubbing, and team coordination
  • Created SECURITY_REMEDIATION_SUMMARY.md with actionable checklist and verification steps

Testing

  • Verify scripts fail gracefully when FIREWORKS_API_KEY is not set
  • Confirm scripts work correctly with environment variable set
  • Validate no hardcoded keys remain in codebase: grep -r "fw_[a-zA-Z0-9]" . --exclude-dir=.git
  • Check .gitignore patterns cover credential files

Notes

⚠️ CRITICAL - Manual Actions Required:

Phase 1 (IMMEDIATE):

  • Revoke exposed API keys from Fireworks AI dashboard:
    • fw_3ZNkrZnbfKVHhU65bFirkpJr
    • fw_3ZHFp8ZR5WeoadXcFcjEKY4z
  • Generate new API keys with least privilege scope

Phase 2 (TODAY):

  • Scrub git history using git-filter-repo or BFG (see SECURITY_MIGRATION.md)
  • Force push cleaned history: git push origin --force --all
  • Notify all team members to re-clone repository

Phase 3 (THIS WEEK):

  • Update production environments (Railway, Vercel) with new keys
  • Implement prevention measures (git-secrets pre-commit hooks)
  • Verify scrubbing success with historical searches

See SECURITY_MIGRATION.md and SECURITY_REMEDIATION_SUMMARY.md for detailed instructions and checklists.

Related: Security remediation for exposed API credentials

@artemisTurintech
security: remove hardcoded API keys and scrub from git history
a053b62 
BREAKING CHANGE: Git history rewritten to remove exposed credentials. All collaborators must re-clone and set FIREWORKS_API_KEY environment variable.
@vercel
Copy link

vercel bot commented Dec 19, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
pddl Ready Ready Preview, Comment Dec 19, 2025 5:03pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MikeVenge @artemisTurintech