From 06e2c7a29e3b578df126b8c30cb627045f6452b6 Mon Sep 17 00:00:00 2001 From: defiQUG Date: Fri, 27 Mar 2026 17:11:16 -0700 Subject: [PATCH] Move explorer AI key loading to secure secrets --- docs/EXPLORER_API_ACCESS.md | 12 +++++++++++- scripts/deploy-explorer-ai-to-vmid5000.sh | 8 ++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/docs/EXPLORER_API_ACCESS.md b/docs/EXPLORER_API_ACCESS.md index 8b719c3..732d7d3 100644 --- a/docs/EXPLORER_API_ACCESS.md +++ b/docs/EXPLORER_API_ACCESS.md @@ -215,14 +215,24 @@ Use the dedicated deployment script when you need to: - ensure a real `JWT_SECRET` - install or refresh the explorer database override used for AI indexed context - optionally install `XAI_API_KEY` +- recommended local secret file: `~/.secure-secrets/explorer-ai.env` - normalize nginx for `/explorer-api/v1/*` ```bash cd /path/to/explorer-monorepo XAI_API_KEY=... bash scripts/deploy-explorer-ai-to-vmid5000.sh + +# or keep the key outside the repo and let the deploy script source it: +cat > ~/.secure-secrets/explorer-ai.env <<'EOF' +XAI_BASE_URL=https://api.x.ai/v1 +EXPLORER_AI_MODEL=grok-3 +XAI_API_KEY=... +EOF +chmod 600 ~/.secure-secrets/explorer-ai.env +bash scripts/deploy-explorer-ai-to-vmid5000.sh ``` -If `XAI_API_KEY` is omitted, the AI context endpoint will still work, but chat will remain disabled with a backend `service_unavailable` response. +If `XAI_API_KEY` is omitted, the AI context endpoint will still work, but chat will remain disabled with a backend `service_unavailable` response. The deploy script will automatically source `~/.secure-secrets/explorer-ai.env` when it exists. On VMID `5000`, the script also writes a dedicated `database.conf` drop-in for `explorer-config-api` so AI context can query the live Blockscout Postgres container instead of assuming `localhost:5432`. diff --git a/scripts/deploy-explorer-ai-to-vmid5000.sh b/scripts/deploy-explorer-ai-to-vmid5000.sh index c4ce542..409b988 100644 --- a/scripts/deploy-explorer-ai-to-vmid5000.sh +++ b/scripts/deploy-explorer-ai-to-vmid5000.sh @@ -11,6 +11,14 @@ TMP_DIR="$(mktemp -d)" JWT_SECRET_VALUE="${JWT_SECRET_VALUE:-}" EXPLORER_AI_MODEL_VALUE="${EXPLORER_AI_MODEL_VALUE:-grok-3}" EXPLORER_DATABASE_URL_VALUE="${EXPLORER_DATABASE_URL_VALUE:-}" +SECURE_AI_ENV_FILE="${SECURE_AI_ENV_FILE:-$HOME/.secure-secrets/explorer-ai.env}" + +if [ -f "$SECURE_AI_ENV_FILE" ]; then + set -a + # Source the local secrets file so deploys do not depend on repo-stored API keys. + source "$SECURE_AI_ENV_FILE" + set +a +fi cleanup() { rm -rf "$TMP_DIR"