fix(security): redact LEMMA_API_KEY from committed wrangler.toml

.env.example

@@ -10,8 +10,12 @@ AGENT_PRIVATE_KEY=0x...
 # Set via: npx wrangler secret put PAY_TO_ADDRESS --cwd packages/worker
 PAY_TO_ADDRESS=0x...
 
-# Lemma API (pre-configured for demo, optional)
-# LEMMA_API_KEY=your_lemma_api_key_here
+# Lemma API key.
+# For deployed workers: set as an encrypted Cloudflare Workers secret —
+#   npx wrangler secret put LEMMA_API_KEY --cwd packages/worker
+# For local dev: create packages/worker/.dev.vars (gitignored) with
+#   LEMMA_API_KEY="..."
+# Optional — the demo path works without a key, but rate limits apply.
 
 # Blog URL to verify (optional, defaults to example)
 # BLOG_URL=https://example-blog.com/articles/zk-proofs

README.md

@@ -81,15 +81,17 @@ pnpm install
 cp .env.example .env
 # Required: PAY_TO_ADDRESS, AGENT_PRIVATE_KEY
 
-# Worker CDP credentials (for x402 facilitator auth)
-# Get keys from https://portal.cdp.coinbase.com/
+# Worker secrets (kept out of git via `.dev.vars`)
+# - CDP keys for x402 facilitator auth: https://portal.cdp.coinbase.com/
+# - LEMMA_API_KEY: optional for demo; required for higher rate limits
 cat > packages/worker/.dev.vars << 'EOF'
 CDP_API_KEY_ID=your_key_id
 CDP_API_KEY_SECRET=your_key_secret
+LEMMA_API_KEY=your_lemma_api_key
 EOF
 ```
 
-> The worker's `wrangler.toml` includes a demo `LEMMA_API_KEY` and `FACILITATOR_URL` pre-configured for Base Sepolia — no extra setup needed.
+> The worker's `wrangler.toml` ships `LEMMA_API_BASE` and `FACILITATOR_URL` for Base Sepolia. `LEMMA_API_KEY` is treated as a secret and is not committed — set it as a Cloudflare Workers secret for deployments (`npx wrangler secret put LEMMA_API_KEY --cwd packages/worker`) and via `packages/worker/.dev.vars` for local dev.
 
 ### 2. Start the worker
 

packages/worker/src/index.test.ts

@@ -1,11 +1,12 @@
 /**
- * Worker tests — 402 response shape verification.
- *
- * Tests that x402 payment-required responses have the correct structure.
+ * Worker tests — 402 response shape verification and secret-redaction
+ * regression guard.
  */
 
 import { describe, it, expect } from "vitest";
 import { Hono } from "hono";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
 
 // ---------------------------------------------------------------------------
 // Types (mirrored from index.ts for testing)
@@ -168,6 +169,23 @@ describe("Worker", () => {
     });
   });
 
+  describe("wrangler.toml secret redaction", () => {
+    // Regression guard: a previous revision committed LEMMA_API_KEY as a
+    // literal value under [vars] in packages/worker/wrangler.toml. Secrets
+    // must live in `wrangler secret put` (production) or .dev.vars (local).
+    // If this test fails, someone re-introduced a literal key — move it back
+    // to a secret and refresh the test fixture.
+    it("does not contain a literal LEMMA_API_KEY in vars", () => {
+      const wranglerToml = readFileSync(
+        join(__dirname, "..", "wrangler.toml"),
+        "utf-8",
+      );
+      // Match `LEMMA_API_KEY` followed by `=` and any non-comment value.
+      const literalAssignment = /^\s*LEMMA_API_KEY\s*=/m;
+      expect(wranglerToml).not.toMatch(literalAssignment);
+    });
+  });
+
   describe("Health check endpoint", () => {
     it("should return ok status", async () => {
       const app = new Hono<{ Bindings: Env }>();

packages/worker/wrangler.toml

@@ -8,8 +8,10 @@ port = 8787
 
 [vars]
 LEMMA_API_BASE = "https://workers.lemma.workers.dev"
-# Demo-only API key — safe to commit (read-only, scoped to demo data)
-LEMMA_API_KEY = "b6363aa6265322ed0d786a11d5b6d3264947052ca72deba4cbe1685d099af892"
+# LEMMA_API_KEY is set as an encrypted Cloudflare Workers secret, not in vars.
+#   wrangler secret put LEMMA_API_KEY --cwd packages/worker
+# For local dev, put it in packages/worker/.dev.vars (gitignored).
+# The demo path works without a key, but is rate-limited.
 FACILITATOR_URL = "https://api.cdp.coinbase.com/platform/v2/x402"
 LEMMA_RELAY_URL = "https://p01--lemma-relay-api--svxwx5rc5jzx.code.run/"
 PAY_TO_ADDRESS = "0x000000000000000000000000000000000000dEaD"