fix: api keys — likely for anthropic claude and/or h... in prototype.ts

[orbisai0security]

Summary

Fix critical severity security issue in design/prototype.ts.

Vulnerability

Field	Value
ID	V-001
Severity	CRITICAL
Scanner	multi_agent_ai
Rule	V-001
File	design/prototype.ts:6

Description: API keys — likely for Anthropic Claude and/or HuggingFace — appear to be hardcoded directly in design/prototype.ts at lines 6, 12, and 13 rather than loaded from environment variables or a secrets manager. With 100 total API key references detected across the codebase, the exposure surface is broad. Any person or automated system with read access to the repository can extract these credentials.

Changes

• design/prototype.ts

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

[garrytan]

Closing — false positive. design/prototype.ts reads process.env.OPENAI_API_KEY (line 12); there are no hardcoded keys in the file. The scanner appears to have misclassified the env-var read as a literal.

[orbisai0security]

Thanks for reviewing. I agree, this was a false positive.

The scanner misclassified process.env.OPENAI_API_KEY / the local ~/.gstack/openai.json fallback as a hardcoded secret, but there is no literal API key committed in design/prototype.ts.

I’ll tune the detector to distinguish environment-variable reads and local config-file reads from actual embedded credentials. Sorry for the noise.