🛡️ Sentinel: [CRITICAL] Remove hardcoded secrets and fix authentication tests

.env.example

@@ -0,0 +1,4 @@
+# Divineo Bunker Environment Variables
+LVT_SECRET_KEY=your_secret_key_here
+GEMINI_API_KEY=your_gemini_api_key_here
+LVT_ALLOWED_ORIGINS=*

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2025-03-05 - Hardcoded Secrets in Authentication Handshake
+**Vulnerability:** Critical authentication secrets were hardcoded in multiple backend files (`main.py`, `DivineoBunker.py`), exposing the system to credential theft if the source code were compromised.
+**Learning:** Hardcoding secrets often occurs during "rapid prototyping" phases and persists into production if not audited. Centralized environment variable management is essential for multi-component systems.
+**Prevention:** Use `python-dotenv` and `os.getenv` for all sensitive keys. Implement mandatory pre-commit hooks or CI scans to detect plaintext secrets (e.g., `git-secrets`).

backend/DivineoBunker.py

@@ -2,11 +2,15 @@
 import hashlib
 import time
 import json
+import os
+from dotenv import load_dotenv
+
+load_dotenv()
 
 class DivineoBunker:
     def __init__(self):
         # 🛡️ Configuración Maestra (abvetos.com)
-        self.secret_key = "LVT_SECRET_PROD_091228222"
+        self.secret_key = os.getenv("LVT_SECRET_KEY")
         self.patent = "PCT/EP2025/067317"
         self.algorithm_v = "V10_Divineo_Shopify_Final"
 

backend/main.py

@@ -2,24 +2,30 @@
 import hashlib
 import time
 import json
+import os
+from dotenv import load_dotenv
 from fastapi import FastAPI, HTTPException
+
+load_dotenv()
 from fastapi.responses import JSONResponse
 from fastapi.middleware.cors import CORSMiddleware
 from models import UserScan, SHOPIFY_INVENTORY
 from jules_engine import get_jules_advice
 
 app = FastAPI(title="Divineo Bunker Backend")
 
+allowed_origins = os.getenv("LVT_ALLOWED_ORIGINS", "*").split(",")
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=allowed_origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
 )
 
 # 🛡️ Configuración Maestra (abvetos.com)
-SECRET_KEY = "LVT_SECRET_PROD_091228222"
+SECRET_KEY = os.getenv("LVT_SECRET_KEY")
 PATENT = "PCT/EP2025/067317"
 
 def verify_auth(user_id: str, token: str) -> bool:
@@ -68,7 +74,14 @@ async def recommend_garment(scan: UserScan, garment_id: str = "BALMAIN_SS26_SLIM
         # Usamos Jules para el toque de estilo
         styling_advice = get_jules_advice(scan, item)
     except Exception as e:
-        styling_advice = f"Divineo confirmado con {item['name']}."
+        raise HTTPException(
+            status_code=503,
+            detail={
+                "status": "error",
+                "code": 503,
+                "message": "Jules AI Engine is currently recalibrating or unavailable. Please try again."
+            }
+        )
 
     if is_divineo and item['stock'] > 0:
         return {

backend/tests/test_main.py

@@ -19,19 +19,23 @@ def mock_get_jules_advice(*args, **kwargs):
 
     # 2. Prepare the request payload
     payload = {
-        "height": 175.0,
-        "weight": 68.0,
+        "user_id": "test_user",
+        "token": "1741164800.mock_sig",
+        "waist": 70.0,
         "event_type": "Gala"
     }
 
     # 3. Send the POST request to the endpoint
+    # We need to mock verify_auth to return True as we changed SECRET_KEY to env var
+    monkeypatch.setattr("backend.main.verify_auth", lambda u, t: True)
+
     response = client.post("/api/recommend", json=payload)
 
     # 4. Assertions
     assert response.status_code == 503
 
     data = response.json()
-    assert data == {
+    assert data["detail"] == {
         "status": "error",
         "code": 503,
         "message": "Jules AI Engine is currently recalibrating or unavailable. Please try again."