From b001d627e1e5ad147df1d5a2803fe055617bfde0 Mon Sep 17 00:00:00 2001
From: Agent Zero <agent@ingwaz.work>
Date: Mon, 23 Mar 2026 03:00:32 +0000
Subject: [PATCH] Provision auth key sets for VPS-backed e2e

---
 .env.example                |  2 +-
 .gitea/workflows/ci-cd.yaml |  6 ++++++
 README.md                   | 13 ++++++++++++-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/.env.example b/.env.example
index 4f273f9..ab0d972 100644
--- a/.env.example
+++ b/.env.example
@@ -29,7 +29,7 @@ OPENBRAIN__QUERY__TEXT_WEIGHT=0.4
 # Authentication (optional)
 OPENBRAIN__AUTH__ENABLED=false
 # Comma-separated list of API keys
-# OPENBRAIN__AUTH__API_KEYS=key1,key2,key3
+# OPENBRAIN__AUTH__API_KEYS=prod_live_key,ci_e2e_key,smoke_test_key
 
 # Logging
 RUST_LOG=info,openbrain_mcp=debug
diff --git a/.gitea/workflows/ci-cd.yaml b/.gitea/workflows/ci-cd.yaml
index 8ee2b96..fed0f0b 100644
--- a/.gitea/workflows/ci-cd.yaml
+++ b/.gitea/workflows/ci-cd.yaml
@@ -18,6 +18,7 @@ jobs:
       OPENBRAIN__DATABASE__USER: ${{ secrets.OPENBRAIN__DATABASE__USER }}
       OPENBRAIN__DATABASE__PASSWORD: ${{ secrets.OPENBRAIN__DATABASE__PASSWORD }}
       OPENBRAIN__DATABASE__POOL_SIZE: ${{ secrets.OPENBRAIN__DATABASE__POOL_SIZE }}
+      OPENBRAIN__AUTH__API_KEYS: ${{ secrets.OPENBRAIN__AUTH__API_KEYS }}
       DEPLOY_DIR: /opt/openbrain-mcp
       SERVICE_NAME: openbrain-mcp
     steps:
@@ -122,6 +123,7 @@ jobs:
             OPENBRAIN__DATABASE__USER='$OPENBRAIN__DATABASE__USER' \
             OPENBRAIN__DATABASE__PASSWORD='$OPENBRAIN__DATABASE__PASSWORD' \
             OPENBRAIN__DATABASE__POOL_SIZE='$OPENBRAIN__DATABASE__POOL_SIZE' \
+            OPENBRAIN__AUTH__API_KEYS='$OPENBRAIN__AUTH__API_KEYS' \
             bash -s" <<'EOS'
           set -euo pipefail
           DEPLOY_DIR="${DEPLOY_DIR:-/opt/openbrain-mcp}"
@@ -186,6 +188,10 @@ jobs:
           upsert_env "OPENBRAIN__DATABASE__USER" "$OPENBRAIN__DATABASE__USER"
           upsert_env "OPENBRAIN__DATABASE__PASSWORD" "$OPENBRAIN__DATABASE__PASSWORD"
           upsert_env "OPENBRAIN__DATABASE__POOL_SIZE" "$OPENBRAIN__DATABASE__POOL_SIZE"
+          if [[ -n "${OPENBRAIN__AUTH__API_KEYS:-}" ]]; then
+            upsert_env "OPENBRAIN__AUTH__ENABLED" "true"
+            upsert_env "OPENBRAIN__AUTH__API_KEYS" "$OPENBRAIN__AUTH__API_KEYS"
+          fi
           upsert_env "OPENBRAIN__EMBEDDING__MODEL_PATH" "$DEPLOY_DIR/models/all-MiniLM-L6-v2"
           upsert_env "ORT_DYLIB_PATH" "$DEPLOY_DIR/lib/libonnxruntime.so"
           upsert_env "OPENBRAIN__SERVER__HOST" "0.0.0.0"
diff --git a/README.md b/README.md
index 00bf5f9..5da6374 100644
--- a/README.md
+++ b/README.md
@@ -83,12 +83,23 @@ Recommended env for VPS-backed runs:
 ```bash
 OPENBRAIN_E2E_REMOTE=true
 OPENBRAIN_E2E_BASE_URL=https://ob.ingwaz.work
-OPENBRAIN_E2E_API_KEY=your_live_api_key
+OPENBRAIN_E2E_API_KEY=your_ci_e2e_key
 OPENBRAIN__AUTH__ENABLED=true
 ```
 
 The CI workflow uses this remote mode after `main` deploys so e2e coverage validates the VPS deployment rather than the local runner host.
 
+For live deployments, prefer a dedicated key set rather than reusing one API key everywhere. The server already accepts a comma-separated key list via `OPENBRAIN__AUTH__API_KEYS`, so a practical split is:
+
+- `prod_live_key` for normal agent traffic
+- `ci_e2e_key` for post-deploy CI verification
+- `smoke_test_key` for ad hoc diagnostics
+
+In Gitea Actions, that means:
+
+- repo secret `OPENBRAIN__AUTH__API_KEYS=prod_live_key,ci_e2e_key,smoke_test_key`
+- repo secret `OPENBRAIN_E2E_API_KEY=ci_e2e_key`
+
 ## Agent Zero Developer Prompt
 
 For Agent Zero / A0, add the following section to the Developer agent role