Skip to content

fix: harden extension templates and APE API key verification#849

Merged
Lightheartdevs merged 1 commit intoLight-Heart-Labs:mainfrom
yasinBursali:fix/extension-security-hardening
Apr 8, 2026
Merged

fix: harden extension templates and APE API key verification#849
Lightheartdevs merged 1 commit intoLight-Heart-Labs:mainfrom
yasinBursali:fix/extension-security-hardening

Conversation

@yasinBursali
Copy link
Copy Markdown
Contributor

@yasinBursali yasinBursali commented Apr 8, 2026

What

  • Add 127.0.0.1: prefix to port bindings in extension compose templates
  • Replace non-constant-time API key comparison in APE with secrets.compare_digest

Why

  • Extension templates used bare port bindings ("${PORT}:1234"), teaching community extension authors the wrong pattern — LAN-exposed by default. All deployed services already bind to 127.0.0.1.
  • APE was the only service using != for API key comparison. All other services (dashboard-api, host-agent, token-spy, privacy-shield) use secrets.compare_digest().

How

  • compose-template.yaml:61 and compose-gpu-only.yaml:64: prefixed with 127.0.0.1:
  • ape/main.py:249: x_api_key != API_KEYnot secrets.compare_digest(x_api_key or "", API_KEY) (secrets already imported)

Testing

  • YAML validated, Python syntax checked
  • Live tested: wrong key → 401, correct key → processes request

Platform Impact

  • All platforms: Identical — templates and Python auth are platform-agnostic

@yasinBursali @claude
fix: harden extension templates and APE API key verification
df2bf5c 
Bind template port mappings to 127.0.0.1 to prevent LAN exposure,
and use secrets.compare_digest for constant-time API key comparison
in APE to prevent timing attacks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Lightheartdevs
Lightheartdevs approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@Lightheartdevs Lightheartdevs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APPROVE — security hardening. APE API key comparison changed from != to secrets.compare_digest() (timing attack fix). Extension templates hardened to 127.0.0.1 binding.

@Lightheartdevs Lightheartdevs merged commit 46b1e7f into Light-Heart-Labs:main Apr 8, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lightheartdevs Lightheartdevs Lightheartdevs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yasinBursali @Lightheartdevs