diff --git a/.env.example b/.env.example index 781919f..9694286 100644 --- a/.env.example +++ b/.env.example @@ -10,8 +10,12 @@ AGENT_PRIVATE_KEY=0x... # Set via: npx wrangler secret put PAY_TO_ADDRESS --cwd packages/worker PAY_TO_ADDRESS=0x... -# Lemma API (pre-configured for demo, optional) -# LEMMA_API_KEY=your_lemma_api_key_here +# Lemma API key. +# For deployed workers: set as an encrypted Cloudflare Workers secret — +# npx wrangler secret put LEMMA_API_KEY --cwd packages/worker +# For local dev: create packages/worker/.dev.vars (gitignored) with +# LEMMA_API_KEY="..." +# Optional — the demo path works without a key, but rate limits apply. # Blog URL to verify (optional, defaults to example) # BLOG_URL=https://example-blog.com/articles/zk-proofs diff --git a/README.md b/README.md index 8578e13..4d7cb0c 100644 --- a/README.md +++ b/README.md @@ -81,15 +81,17 @@ pnpm install cp .env.example .env # Required: PAY_TO_ADDRESS, AGENT_PRIVATE_KEY -# Worker CDP credentials (for x402 facilitator auth) -# Get keys from https://portal.cdp.coinbase.com/ +# Worker secrets (kept out of git via `.dev.vars`) +# - CDP keys for x402 facilitator auth: https://portal.cdp.coinbase.com/ +# - LEMMA_API_KEY: optional for demo; required for higher rate limits cat > packages/worker/.dev.vars << 'EOF' CDP_API_KEY_ID=your_key_id CDP_API_KEY_SECRET=your_key_secret +LEMMA_API_KEY=your_lemma_api_key EOF ``` -> The worker's `wrangler.toml` includes a demo `LEMMA_API_KEY` and `FACILITATOR_URL` pre-configured for Base Sepolia — no extra setup needed. +> The worker's `wrangler.toml` ships `LEMMA_API_BASE` and `FACILITATOR_URL` for Base Sepolia. `LEMMA_API_KEY` is treated as a secret and is not committed — set it as a Cloudflare Workers secret for deployments (`npx wrangler secret put LEMMA_API_KEY --cwd packages/worker`) and via `packages/worker/.dev.vars` for local dev. ### 2. Start the worker diff --git a/packages/worker/src/index.test.ts b/packages/worker/src/index.test.ts index bac7f72..aeb456a 100644 --- a/packages/worker/src/index.test.ts +++ b/packages/worker/src/index.test.ts @@ -1,11 +1,12 @@ /** - * Worker tests — 402 response shape verification. - * - * Tests that x402 payment-required responses have the correct structure. + * Worker tests — 402 response shape verification and secret-redaction + * regression guard. */ import { describe, it, expect } from "vitest"; import { Hono } from "hono"; +import { readFileSync } from "node:fs"; +import { join } from "node:path"; // --------------------------------------------------------------------------- // Types (mirrored from index.ts for testing) @@ -168,6 +169,23 @@ describe("Worker", () => { }); }); + describe("wrangler.toml secret redaction", () => { + // Regression guard: a previous revision committed LEMMA_API_KEY as a + // literal value under [vars] in packages/worker/wrangler.toml. Secrets + // must live in `wrangler secret put` (production) or .dev.vars (local). + // If this test fails, someone re-introduced a literal key — move it back + // to a secret and refresh the test fixture. + it("does not contain a literal LEMMA_API_KEY in vars", () => { + const wranglerToml = readFileSync( + join(__dirname, "..", "wrangler.toml"), + "utf-8", + ); + // Match `LEMMA_API_KEY` followed by `=` and any non-comment value. + const literalAssignment = /^\s*LEMMA_API_KEY\s*=/m; + expect(wranglerToml).not.toMatch(literalAssignment); + }); + }); + describe("Health check endpoint", () => { it("should return ok status", async () => { const app = new Hono<{ Bindings: Env }>(); diff --git a/packages/worker/wrangler.toml b/packages/worker/wrangler.toml index fa2f118..253a894 100644 --- a/packages/worker/wrangler.toml +++ b/packages/worker/wrangler.toml @@ -8,8 +8,10 @@ port = 8787 [vars] LEMMA_API_BASE = "https://workers.lemma.workers.dev" -# Demo-only API key — safe to commit (read-only, scoped to demo data) -LEMMA_API_KEY = "b6363aa6265322ed0d786a11d5b6d3264947052ca72deba4cbe1685d099af892" +# LEMMA_API_KEY is set as an encrypted Cloudflare Workers secret, not in vars. +# wrangler secret put LEMMA_API_KEY --cwd packages/worker +# For local dev, put it in packages/worker/.dev.vars (gitignored). +# The demo path works without a key, but is rate-limited. FACILITATOR_URL = "https://api.cdp.coinbase.com/platform/v2/x402" LEMMA_RELAY_URL = "https://p01--lemma-relay-api--svxwx5rc5jzx.code.run/" PAY_TO_ADDRESS = "0x000000000000000000000000000000000000dEaD"