Skip to content

Security: Hellinferno/Micro-cfo

Security

docs/SECURITY.md

πŸ”’ Security Guidelines for MicroCFO MCP Server

⚠️ CRITICAL: API Key Security

NEVER commit API keys to version control!

This project requires API keys for AI services (Gemini, OpenRouter). All API keys must be stored securely using environment variables or .env files.

πŸ›‘οΈ Secure Configuration Methods

Method 1: Environment Variables (Recommended for Production)

Windows (PowerShell)

$env:GEMINI_API_KEY="your_gemini_api_key_here"
$env:OPENROUTER_API_KEY="your_openrouter_api_key_here"

Windows (CMD)

set GEMINI_API_KEY=your_gemini_api_key_here
set OPENROUTER_API_KEY=your_openrouter_api_key_here

Unix/Linux/Mac

export GEMINI_API_KEY="your_gemini_api_key_here"
export OPENROUTER_API_KEY="your_openrouter_api_key_here"

Method 2: .env File (Recommended for Development)

  1. Copy the example file:

    cp .env.example .env
  2. Edit .env with your actual keys:

    GEMINI_API_KEY=your_actual_gemini_key_here
    OPENROUTER_API_KEY=your_actual_openrouter_key_here
  3. Load environment variables (optional):

    # Install python-dotenv
    pip install python-dotenv
    
    # In your script
    from dotenv import load_dotenv
    load_dotenv()

πŸ”‘ Getting API Keys

Google Gemini API Key

  1. Visit: https://makersuite.google.com/app/apikey
  2. Sign in with your Google account
  3. Click "Create API Key"
  4. Copy the key (starts with AIzaSy...)

OpenRouter API Key

  1. Visit: https://openrouter.ai/keys
  2. Sign up or log in
  3. Create a new API key
  4. Copy the key (starts with sk-or-...)

🚫 What NOT to Do

❌ NEVER do this:

# BAD - Hardcoded API key in source code
os.environ['GEMINI_API_KEY'] = 'YOUR_API_KEY_HERE'  # NEVER hardcode keys!

βœ… ALWAYS do this:

# GOOD - Load from environment
GEMINI_API_KEY = os.getenv("GEMINI_API_KEY")
if not GEMINI_API_KEY:
    raise ValueError("GEMINI_API_KEY environment variable not set")

πŸ“ Files Protected by .gitignore

The following files are automatically excluded from git:

  • .env - Your actual API keys
  • .env.local - Local environment overrides
  • *.key - Any key files
  • *.pem - Certificate files
  • secrets.json - Secret configuration files
  • credentials.json - Credential files

πŸ” Checking for Exposed Keys

Before committing, always check:

# Search for potential API keys in staged files
git diff --cached | grep -i "api_key\|apikey\|secret\|password"

# Check git history for exposed keys
git log -p | grep -i "AIzaSy\|sk-or-"

🚨 If You Accidentally Commit an API Key

  1. Immediately revoke the key:

  2. Generate a new key

  3. Remove from git history:

    # Use git filter-branch or BFG Repo-Cleaner
    # See: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository
  4. Force push to remote:

    git push --force

πŸ” Best Practices

  1. Use different keys for development and production
  2. Rotate keys regularly (every 90 days recommended)
  3. Set up key expiration where supported
  4. Monitor API usage for unusual activity
  5. Use least privilege - only grant necessary permissions
  6. Never share keys via email, chat, or screenshots
  7. Use secrets management for production (AWS Secrets Manager, Azure Key Vault, etc.)

πŸ› οΈ Testing Without Real Keys

The MicroCFO server includes fallback modes that work without API keys:

# Agent A will use mock data if no API key is set
result = scan_invoice_document('test.jpg', use_mock=True)

# Agent D uses template-based generation as fallback
result = generate_negotiation_draft(...)  # Works without API keys

πŸ“ž Security Contact

If you discover a security vulnerability, please:

  1. DO NOT open a public issue
  2. Email the maintainer directly
  3. Include details of the vulnerability
  4. Allow time for a fix before public disclosure

βœ… Security Checklist

Before making your repository public:

  • All API keys removed from source code
  • .env file added to .gitignore
  • .env.example created with placeholder values
  • SECURITY.md reviewed and understood
  • Git history checked for exposed keys
  • All team members briefed on security practices
  • API key rotation schedule established

πŸ“š Additional Resources


Remember: Security is everyone's responsibility. When in doubt, ask! πŸ”’

There aren't any published security advisories