Merge pull request #1091 from adamvangrover/sentinel-secure-default-api-key-12915555136773243567

🛡️ Sentinel: [CRITICAL] Fix hardcoded fallback API key

Author: adamvangrover

.jules/sentinel.md

@@ -235,3 +235,7 @@
 **Vulnerability:** Hugging Face model downloads via `from_pretrained()` without a `revision` parameter are vulnerable to supply chain attacks, as the default branch can be updated with malicious weights.
 **Learning:** Bandit rule B615 explicitly requires pinning the `revision` parameter to a specific cryptographic commit hash (not a branch tag like "main") for secure model fetching.
 **Prevention:** Always pin Hugging Face dependencies to a verifiable commit hash (e.g., `revision="27d67f1b5f57dc0953326b2601d68371d40ea8da"`) when calling `from_pretrained()`.
+## 2026-05-26 - [Secure Default API Keys]
+**Vulnerability:** The `adam_api_key` in `core/settings.py` used a hardcoded fallback string `"default-insecure-key-change-me"`. This could easily be accidentally deployed to production, leaving the system vulnerable to unauthorized access.
+**Learning:** Hardcoding default strings for secrets, even with warnings or runtime environment checks, is an anti-pattern. Systems can be bypassed, or warning logs ignored.
+**Prevention:** Use `secrets.token_urlsafe(32)` with Pydantic's `Field(default_factory=...)` to dynamically generate a secure random string on initialization if no key is provided. This ensures that even if a configuration is missing, the fallback is a cryptographically strong, unguessable key.

core/settings.py

@@ -1,8 +1,9 @@
 from pydantic_settings import BaseSettings, SettingsConfigDict
 from typing import Optional, List
 import os
-from pydantic import model_validator
+from pydantic import model_validator, Field
 import logging
+import secrets
 
 
 class Settings(BaseSettings):
@@ -24,7 +25,7 @@ class Settings(BaseSettings):
     google_api_key: Optional[str] = None  # Added for Gemini support
 
     # Internal Security
-    adam_api_key: str = "default-insecure-key-change-me"
+    adam_api_key: str = Field(default_factory=lambda: secrets.token_urlsafe(32))
 
     # Database / Infrastructure
     postgres_user: Optional[str] = None
@@ -47,21 +48,6 @@ class Settings(BaseSettings):
         case_sensitive=False
     )
 
-    @model_validator(mode='after')
-    def check_security(self):
-        if self.adam_api_key == "default-insecure-key-change-me":
-            if self.environment.lower() == "production":
-                raise ValueError(
-                    "CRITICAL SECURITY ERROR: You are running in PRODUCTION mode with the default insecure API key. "
-                    "Please set ADAM_API_KEY environment variable to a secure value."
-                )
-            else:
-                logging.warning(
-                    "SECURITY WARNING: You are using the default insecure API key. "
-                    "This is acceptable for development, but MUST be changed in production."
-                )
-        return self
-
 
 # Global settings instance
 settings = Settings()

tests/test_legacy_api_security.py

@@ -33,7 +33,8 @@ def test_error_leakage(self):
                 "action": "run_analysis",
                 "parameters": {"query": "test"}
             }
-            headers = {"X-API-Key": "default-insecure-key-change-me"}
+            from core.settings import settings
+            headers = {"X-API-Key": settings.adam_api_key}
 
             # Act
             response = self.app.post('/', json=payload, headers=headers)

tests/test_settings_security.py

@@ -4,26 +4,19 @@
 import os
 
 class TestSettingsSecurity(unittest.TestCase):
-    def test_development_mode_allows_default_key(self):
-        """Test that development mode allows the default insecure key (with warning)."""
+    def test_default_key_is_secure(self):
+        """Test that by default, a secure random key is generated."""
         # Ensure environment is clean
         if "ADAM_API_KEY" in os.environ:
             del os.environ["ADAM_API_KEY"]
 
-        settings = Settings(environment="development")
-        self.assertEqual(settings.adam_api_key, "default-insecure-key-change-me")
-        self.assertEqual(settings.environment, "development")
+        settings_1 = Settings(environment="development")
+        settings_2 = Settings(environment="development")
 
-    def test_production_mode_blocks_default_key(self):
-        """Test that production mode raises ValueError if default key is used."""
-        # Ensure environment is clean
-        if "ADAM_API_KEY" in os.environ:
-            del os.environ["ADAM_API_KEY"]
-
-        with self.assertRaises(ValueError) as cm:
-            Settings(environment="production")
-
-        self.assertIn("CRITICAL SECURITY ERROR", str(cm.exception))
+        self.assertNotEqual(settings_1.adam_api_key, "default-insecure-key-change-me")
+        self.assertTrue(len(settings_1.adam_api_key) > 32)
+        # Should generate a new key each time if not provided
+        self.assertNotEqual(settings_1.adam_api_key, settings_2.adam_api_key)
 
     def test_production_mode_allows_secure_key(self):
         """Test that production mode allows a custom secure key."""