000145af96
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Add OrchestratorApiKeyGuard to protect agent management endpoints (spawn, kill, kill-all, status) from unauthorized access. Uses X-API-Key header with constant-time comparison to prevent timing attacks. - Create apps/orchestrator/src/common/guards/api-key.guard.ts - Add comprehensive tests for all guard scenarios - Apply guard to AgentsController (controller-level protection) - Document ORCHESTRATOR_API_KEY in .env.example files - Health endpoints remain unauthenticated for monitoring Security: Prevents unauthorized users from draining API credits or killing all agents via unprotected endpoints. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
35 lines
877 B
Plaintext
35 lines
877 B
Plaintext
# Orchestrator Configuration
|
|
ORCHESTRATOR_PORT=3001
|
|
NODE_ENV=development
|
|
|
|
# Valkey
|
|
VALKEY_HOST=localhost
|
|
VALKEY_PORT=6379
|
|
VALKEY_URL=redis://localhost:6379
|
|
|
|
# Claude API
|
|
CLAUDE_API_KEY=your-api-key-here
|
|
|
|
# Docker
|
|
DOCKER_SOCKET=/var/run/docker.sock
|
|
|
|
# Git
|
|
GIT_USER_NAME="Mosaic Orchestrator"
|
|
GIT_USER_EMAIL="orchestrator@mosaicstack.dev"
|
|
|
|
# Security
|
|
KILLSWITCH_ENABLED=true
|
|
SANDBOX_ENABLED=true
|
|
|
|
# API Authentication
|
|
# CRITICAL: Generate a random API key with at least 32 characters
|
|
# Example: openssl rand -base64 32
|
|
# Required for all /agents/* endpoints (spawn, kill, kill-all, status)
|
|
# Health endpoints (/health/*) remain unauthenticated
|
|
ORCHESTRATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
|
|
|
|
# Quality Gates
|
|
# YOLO mode bypasses all quality gates (default: false)
|
|
# WARNING: Only enable for development/testing. Not recommended for production.
|
|
YOLO_MODE=false
|