fix(security): redact LEMMA_API_KEY from committed wrangler.toml#9
Closed
yumemayu wants to merge 2 commits into
Closed
fix(security): redact LEMMA_API_KEY from committed wrangler.toml#9yumemayu wants to merge 2 commits into
yumemayu wants to merge 2 commits into
Conversation
Per the 4/18 assessment Phase 1-A: the worker's packages/worker/wrangler.toml had LEMMA_API_KEY committed as a literal string under [vars]. In a public repository every prior commit still contains the value, so the key should be rotated out-of-band; this change removes the literal from HEAD and aligns the codebase with Cloudflare Workers' standard secret pattern. ### Changes - `packages/worker/wrangler.toml`: drop the literal LEMMA_API_KEY line from [vars]. Add a comment that points to `wrangler secret put LEMMA_API_KEY --cwd packages/worker` and `packages/worker/.dev.vars` (already gitignored). - `.env.example`: rewrite the LEMMA_API_KEY block with the same guidance (Cloudflare secret for deploy, .dev.vars for local). - `README.md`: extend the Configure step to put LEMMA_API_KEY into `.dev.vars` alongside the CDP keys, and update the note that the worker no longer ships with a demo LEMMA_API_KEY value. - `packages/worker/src/index.test.ts`: add a regression test that reads `packages/worker/wrangler.toml` and asserts no literal `LEMMA_API_KEY = ...` assignment under [vars]. The test fails loudly if anyone reintroduces a committed key value. ### Worker code (unchanged) The worker already reads LEMMA_API_KEY exclusively from `c.env` (types in `Env`, used by `lemmaHeaders()`). No code change is needed for the read path — only the source of the value changes. ### Out of scope (per the brief) - Phase 1-B (TypeError) and Phase 1-C (API path): not actioned in this PR. The 4/18 assessment doc isn't in the repo and no matching TypeError reproduces in the current test suite. Phase 1-C paths already match `@lemmaoracle/spec@0.0.21` (`/v1/verified-attributes/query`) and PR #6 added path- consistency tests for the agent / worker endpoints. - Phase 2: already completed in PR #6 (DEMO_MODE removal). - Phase 3 docs: only the LEMMA_API_KEY-related lines touched here. - Bedrock AgentCore integration, KYC attribute-proof demo, x402 Bazaar metadata: out of scope per the brief. ### Operational follow-up (not in this PR) Rotate the LEMMA_API_KEY on the Lemma side and store the new value via `wrangler secret put`. The previously committed value remains visible in git history. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
….toml PR #9 review feedback: the same demo-without-key + rate-limit caveat that lives in .env.example was missing from the wrangler.toml comment header. Add it so both files describe the optional-key behavior the same way. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
aggre
approved these changes
May 12, 2026
Member
aggre
left a comment
aggre
left a comment
There was a problem hiding this comment.
LGTM — demo key rotation is unnecessary given the context (example repo, no self-service key issuance, demo-scoped key). The structural fix (removing literal from vars, pointing to secret pattern) is the right change.
Member
Hold decision (CTO)This PR is on hold until a self-service API Key issuance dashboard is implemented (#10). Rationale: The current demo key is intentionally exposed as an accepted risk. Redacting it from config without providing users a way to issue their own keys would break the demo experience. Once the dashboard is ready, this PR can be merged + the key rotated. Do NOT merge until #10 is resolved. |
Member
|
Closing per discussion (2026-05-14): the API key in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Per the 4/18 assessment Phase 1-A (security hard blocker):
packages/worker/wrangler.tomlhadLEMMA_API_KEYcommitted as a literal string under[vars]. This PR removes the literal from HEAD and aligns the codebase with Cloudflare Workers' standard secret pattern.Files touched
packages/worker/wrangler.tomlLEMMA_API_KEY = "…"line from[vars]. Add a comment pointing towrangler secret put LEMMA_API_KEY --cwd packages/worker(for deploys) andpackages/worker/.dev.vars(gitignored, for local dev)..env.exampleLEMMA_API_KEYblock with the same guidance.README.mdLEMMA_API_KEYinto.dev.varsalongside the CDP keys; replace the old "the worker ships with a demo LEMMA_API_KEY" note with the new secret-based flow.packages/worker/src/index.test.tswrangler.tomland asserts no literalLEMMA_API_KEY = …assignment under[vars]. Fails loudly if anyone re-introduces a committed value.Worker code (unchanged)
The worker already reads
LEMMA_API_KEYexclusively fromc.env(typed inEnv, used bylemmaHeaders()). Only the source of the value changes.Out of scope (per the brief)
@lemmaoracle/spec@0.0.21(/v1/verified-attributes/query). PR fix: remove DEMO_MODE, add minimal Vitest tests #6 already added path-consistency tests for the agent / worker endpoints.LEMMA_API_KEY-related lines are touched here; the rest of the docs are coherent with the current state.Operational follow-up (not in this PR)
Rotate the LEMMA_API_KEY on the Lemma side and store the new value via
wrangler secret put. The previously committed value remains visible in git history — removing it from HEAD does not erase it from prior commits.Test plan
pnpm test— 7 worker tests pass (was 6; +1 regression test), 5 agent tests pass.pnpm --filter @example-x402/worker run type-check— 0 errors.npx wrangler secret put LEMMA_API_KEY --cwd packages/worker(with a fresh, rotated key) on each deployed Worker environment.https://workers.lemma.workers.dev/v1/verified-attributes/queryvia a manualpnpm dev:worker+pnpm agentround-trip.🤖 Generated with Claude Code