Use ephemeral API key for VPS e2e tests

.env.example

@@ -28,8 +28,8 @@ OPENBRAIN__QUERY__TEXT_WEIGHT=0.4
 
 # Authentication (optional)
 OPENBRAIN__AUTH__ENABLED=false
-# Comma-separated list of API keys
+# Comma-separated list of persistent API keys
-# OPENBRAIN__AUTH__API_KEYS=prod_live_key,ci_e2e_key,smoke_test_key
+# OPENBRAIN__AUTH__API_KEYS=prod_live_key,smoke_test_key
 
 # Logging
 RUST_LOG=info,openbrain_mcp=debug

.gitea/workflows/ci-cd.yaml

@@ -68,6 +68,14 @@ jobs:
           cargo build --release
           test -x target/release/openbrain-mcp
 
+      - name: Generate ephemeral e2e API key
+        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master'
+        run: |
+          set -euxo pipefail
+          install -d -m 700 .ci
+          umask 077
+          openssl rand -hex 32 > .ci/openbrain_e2e_key
+
       - name: Setup SSH auth
         if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master'
         run: |
@@ -104,6 +112,11 @@ jobs:
           : "${VPS_HOST:?Set repository secret VPS_HOST}"
           : "${VPS_USER:=root}"
           SSH="ssh -i $HOME/.ssh/deploy_key -o IdentitiesOnly=yes"
+          EPHEMERAL_E2E_KEY="$(cat .ci/openbrain_e2e_key)"
+          EFFECTIVE_OPENBRAIN__AUTH__API_KEYS="$EPHEMERAL_E2E_KEY"
+          if [[ -n "${OPENBRAIN__AUTH__API_KEYS:-}" ]]; then
+            EFFECTIVE_OPENBRAIN__AUTH__API_KEYS="${OPENBRAIN__AUTH__API_KEYS},${EPHEMERAL_E2E_KEY}"
+          fi
 
           : "${OPENBRAIN__DATABASE__HOST:?Set repository secret OPENBRAIN__DATABASE__HOST}"
           : "${OPENBRAIN__DATABASE__NAME:?Set repository secret OPENBRAIN__DATABASE__NAME}"
@@ -123,7 +136,7 @@ jobs:
             OPENBRAIN__DATABASE__USER='$OPENBRAIN__DATABASE__USER' \
             OPENBRAIN__DATABASE__PASSWORD='$OPENBRAIN__DATABASE__PASSWORD' \
             OPENBRAIN__DATABASE__POOL_SIZE='$OPENBRAIN__DATABASE__POOL_SIZE' \
-            OPENBRAIN__AUTH__API_KEYS='$OPENBRAIN__AUTH__API_KEYS' \
+            OPENBRAIN__AUTH__API_KEYS='$EFFECTIVE_OPENBRAIN__AUTH__API_KEYS' \
             bash -s" <<'EOS'
           set -euo pipefail
           DEPLOY_DIR="${DEPLOY_DIR:-/opt/openbrain-mcp}"
@@ -225,14 +238,54 @@ jobs:
         env:
           OPENBRAIN_E2E_REMOTE: "true"
           OPENBRAIN_E2E_BASE_URL: http://${{ secrets.VPS_HOST }}:3100
-          OPENBRAIN_E2E_API_KEY: ${{ secrets.OPENBRAIN_E2E_API_KEY }}
           OPENBRAIN__AUTH__ENABLED: "true"
         run: |
           set -euxo pipefail
-          : "${OPENBRAIN_E2E_API_KEY:?Set repository secret OPENBRAIN_E2E_API_KEY}"
+          export OPENBRAIN_E2E_API_KEY="$(cat .ci/openbrain_e2e_key)"
           . "$HOME/.cargo/env"
           cargo test --test e2e_mcp -- --test-threads=1
 
+      - name: Remove ephemeral e2e key and restart service
+        if: always() && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
+        run: |
+          set -euxo pipefail
+          : "${VPS_HOST:?Set repository secret VPS_HOST}"
+          : "${VPS_USER:=root}"
+          SSH="ssh -i $HOME/.ssh/deploy_key -o IdentitiesOnly=yes"
+          EPHEMERAL_E2E_KEY="$(cat .ci/openbrain_e2e_key)"
+          BASE_AUTH_KEYS="${OPENBRAIN__AUTH__API_KEYS:-}"
+
+          $SSH "$VPS_USER@$VPS_HOST" "\
+            DEPLOY_DIR=$DEPLOY_DIR \
+            OPENBRAIN__AUTH__API_KEYS='$BASE_AUTH_KEYS' \
+            bash -s" <<'EOS'
+          set -euo pipefail
+          DEPLOY_DIR="${DEPLOY_DIR:-/opt/openbrain-mcp}"
+          ENV_FILE="$DEPLOY_DIR/.env"
+
+          upsert_env() {
+            local key="$1"
+            local value="$2"
+            local escaped_value
+            escaped_value="$(printf '%s' "$value" | sed -e 's/[\\&|]/\\&/g')"
+            if grep -qE "^${key}=" "$ENV_FILE"; then
+              sed -i "s|^${key}=.*|${key}=${escaped_value}|" "$ENV_FILE"
+            else
+              printf '%s=%s\n' "$key" "$value" >> "$ENV_FILE"
+            fi
+          }
+
+          if [[ -n "${OPENBRAIN__AUTH__API_KEYS:-}" ]]; then
+            upsert_env "OPENBRAIN__AUTH__ENABLED" "true"
+            upsert_env "OPENBRAIN__AUTH__API_KEYS" "$OPENBRAIN__AUTH__API_KEYS"
+          else
+            upsert_env "OPENBRAIN__AUTH__ENABLED" "false"
+            sed -i '/^OPENBRAIN__AUTH__API_KEYS=/d' "$ENV_FILE"
+          fi
+          EOS
+
+          $SSH "$VPS_USER@$VPS_HOST" "systemctl restart $SERVICE_NAME"
+
       - name: Cleanup SSH key
         if: always()
         run: |

README.md

@@ -83,22 +83,21 @@ Recommended env for VPS-backed runs:
 ```bash
 OPENBRAIN_E2E_REMOTE=true
 OPENBRAIN_E2E_BASE_URL=https://ob.ingwaz.work
-OPENBRAIN_E2E_API_KEY=your_ci_e2e_key
 OPENBRAIN__AUTH__ENABLED=true
 ```
 
-The CI workflow uses this remote mode after `main` deploys so e2e coverage validates the VPS deployment rather than the local runner host.
+The CI workflow uses this remote mode after `main` deploys so e2e coverage validates the VPS deployment rather than the local runner host. It now generates a random per-run e2e key, temporarily appends it to the deployed `OPENBRAIN__AUTH__API_KEYS`, runs the suite, then removes the key and restarts the service.
 
-For live deployments, prefer a dedicated key set rather than reusing one API key everywhere. The server already accepts a comma-separated key list via `OPENBRAIN__AUTH__API_KEYS`, so a practical split is:
+For live deployments, keep `OPENBRAIN__AUTH__API_KEYS` for persistent non-test access only. The server accepts a comma-separated key list, so a practical split is:
 
 - `prod_live_key` for normal agent traffic
-- `ci_e2e_key` for post-deploy CI verification
 - `smoke_test_key` for ad hoc diagnostics
 
 In Gitea Actions, that means:
 
-- repo secret `OPENBRAIN__AUTH__API_KEYS=prod_live_key,ci_e2e_key,smoke_test_key`
+- repo secret `OPENBRAIN__AUTH__API_KEYS=prod_live_key,smoke_test_key`
-- repo secret `OPENBRAIN_E2E_API_KEY=ci_e2e_key`
+
+If you want prod e2e coverage without leaving a standing CI key on the server, the workflow-generated ephemeral key handles that automatically.
 
 ## Agent Zero Developer Prompt