""" Production security validation and secret resolution. """ from __future__ import annotations import hmac import os import sys # Legacy well-known defaults — rejected in strict startup; never auto-resolved from code. KNOWN_INSECURE_API_KEYS = frozenset({"cepheus-dev-key"}) def is_production() -> bool: return os.getenv("CEPHEUS_PRODUCTION", "").strip() == "1" def is_demo_mode() -> bool: """Demo simulations (issue progress, missing-person auto-resolve) — never in production.""" if is_production(): return False return os.getenv("CEPHEUS_DEMO_MODE", "").strip() == "1" def is_auth_dev_mode() -> bool: """Local-only insecure auth defaults — never in production.""" if is_production(): return False return os.getenv("CEPHEUS_AUTH_DEV_MODE", "").strip() == "1" def safe_compare_strings(a: str, b: str) -> bool: if not a or not b: return False return hmac.compare_digest(a.encode("utf-8"), b.encode("utf-8")) def resolve_dev_api_key() -> str: if not is_auth_dev_mode(): return "" return os.getenv("CEPHEUS_DEV_API_KEY", "").strip() def resolve_api_key() -> str: key = os.getenv("CEPHEUS_API_KEY", "").strip() if key: return key if is_production(): return "" return resolve_dev_api_key() def resolve_readonly_api_key() -> str: """Optional read-only automation key (ISSUE-178). Role enforced at route dependencies.""" return os.getenv("CEPHEUS_READONLY_API_KEY", "").strip() def api_key_scope_label() -> str: """Document intended API key use (audit / ops); does not enforce RBAC by itself.""" return os.getenv("CEPHEUS_API_KEY_SCOPE", "").strip() def validate_startup() -> None: """Fail fast when production or a real cloud deployment is misconfigured. Local development may run the cloud stub engine (CEPHEUS_CLOUD=1) together with CEPHEUS_AUTH_DEV_MODE=1; that combination is intentionally exempt from the strict secret requirements so developers can run the full stack locally. Real cloud deployments must NOT set CEPHEUS_AUTH_DEV_MODE and therefore remain strict. """ errors: list[str] = [] dev_mode = is_auth_dev_mode() cloud = os.getenv("CEPHEUS_CLOUD", "").strip() in ("1", "true", "yes") # Strict when in production, or a cloud deploy that is NOT explicitly in dev mode. strict = is_production() or (cloud and not dev_mode) if strict: if not os.getenv("CEPHEUS_JWT_SECRET", "").strip(): errors.append("CEPHEUS_JWT_SECRET is required in production/cloud") if dev_mode and is_production(): errors.append("CEPHEUS_AUTH_DEV_MODE must be 0 in production") key = os.getenv("CEPHEUS_API_KEY", "").strip() if not key or key in KNOWN_INSECURE_API_KEYS: errors.append("CEPHEUS_API_KEY must be set to a non-default value in production/cloud") cors = os.getenv("CORS_ORIGINS", "").strip() if not cors: errors.append("CORS_ORIGINS must be set in production/cloud") if errors: for msg in errors: print(f"FATAL: {msg}", file=sys.stderr) raise SystemExit(1) def auth_enabled_check() -> bool: return bool(os.getenv("CEPHEUS_JWT_SECRET", "").strip()) or is_auth_dev_mode()