[WEB-7805] fix: remove hardcoded SECRET_KEY from community deployment manifests

[mguptahub]

Summary

• Advisory: GHSA-cmwv-pjmw-8483 (Critical — Hardcoded SECRET_KEY)
• Replaces the publicly-known default SECRET_KEY and LIVE_SERVER_SECRET_KEY in AIO and CLI community deployment templates with a safe placeholder (change-this-key-on-deployment)
• AIO start.sh now auto-generates a cryptographically random key on first boot and persists it across restarts — no operator action required; also detects and replaces the old insecure default on upgrade
• CLI docker-compose.yml removes all :-hardcoded-value fallbacks
• common.py strengthens SECRET_KEY resolution to treat an empty env var the same as unset (using or), and prints a CRITICAL SECURITY WARNING to stderr if the known insecure default or placeholder is active at startup

Files changed

File	Change
deployments/aio/community/variables.env	Replace hardcoded SECRET_KEY + LIVE_SERVER_SECRET_KEY with placeholder
deployments/aio/community/start.sh	Auto-generate random keys on first boot; remove help text that documented defaults
deployments/cli/community/variables.env	Replace hardcoded SECRET_KEY + LIVE_SERVER_SECRET_KEY with placeholder
deployments/cli/community/docker-compose.yml	Remove :-hardcoded fallbacks for both secret keys
apps/api/plane/settings/common.py	Use or for empty-env fallback; warn on startup for insecure/placeholder keys

Upgrade behaviour

• AIO: on the next start.sh run, any instance using the old compromised default is automatically rotated to a fresh random key. Existing custom keys are preserved.
• CLI: instances using the old compromised key continue to work with a loud warning on stderr until the operator updates variables.env.

Test plan

• Fresh AIO install: confirm plane.env gets a random SECRET_KEY (not the old default or placeholder)
• AIO restart with existing random key: confirm key is preserved (sessions survive restart)
• AIO upgrade from old install (old default in plane.env): confirm key is rotated to new random value
• CLI install: confirm SECRET_KEY=change-this-key-on-deployment in variables.env works for local dev
• CLI with old default: confirm CRITICAL SECURITY WARNING appears in container logs
• CLI with proper key set: confirm no warning

Co-authored-by: Plane AI noreply@plane.so

Summary by CodeRabbit

• Security
  • Added detection and critical warnings for commonly insecure or placeholder secret key values to make misconfigurations immediately visible.
  • Updated secret key handling to treat empty values as unset, generating new keys automatically on first boot/first deployment when needed.
  • Improved deployment configuration and messaging, including clearer guidance for generating secure SECRET_KEY and LIVE_SERVER_SECRET_KEY.
  • Tightened environment requirements in container setup to avoid accidental fallback defaults.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec838646-3dc7-477b-9b2c-c3d6462bc7e9

📥 Commits

Reviewing files that changed from the base of the PR and between c648540 and bbdd4f0.

📒 Files selected for processing (1)

• apps/api/plane/settings/common.py

---

📝 Walkthrough

Walkthrough

The PR hardens secret key handling across the Plane stack: Django settings now detects known insecure/placeholder key values and emits a critical warning to stderr. The AIO startup script gains first-boot auto-generation logic that preserves previously stored keys across restarts. Deployment config files replace hardcoded secret defaults with change-this-key-on-deployment placeholders.

Changes

Secret Key Security Hardening

Layer / File(s)	Summary
Django settings: insecure key detection and warning apps/api/plane/settings/common.py	Changes SECRET_KEY to treat empty env var as unset via or operator; defines _INSECURE_SECRET_KEYS set; moves logger initialization earlier; logs a critical warning when the active key matches a known-insecure value.
AIO startup script: first-boot key auto-generation deployments/aio/community/start.sh	Updates header messaging to document auto-generation on first boot; modifies update_env_file to preserve previously stored non-placeholder keys from plane.env across restarts and otherwise generate and persist new random alphanumeric keys.
Deployment config: replace hardcoded secrets with placeholders deployments/aio/community/variables.env, deployments/cli/community/variables.env, deployments/cli/community/docker-compose.yml	Changes SECRET_KEY and LIVE_SERVER_SECRET_KEY from hardcoded values to change-this-key-on-deployment placeholders with expanded secure-generation instructions; removes hardcoded fallback defaults from Docker Compose anchors.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 No more secrets left in plain,
The defaults were a hidden pain!
A placeholder now guards the gate,
First boot will generate — how great!
With warnings loud on stderr's stream,
Our keys are safe, or so I dream. 🔑

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: removing hardcoded SECRET_KEY from community deployment manifests to address a critical security vulnerability.
Description check	✅ Passed	The description is comprehensive and includes a summary, detailed file changes, upgrade behavior, and a test plan. However, it does not follow the provided repository template structure.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch web-7805/fix-hardcoded-secret-key

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[makeplane]

Linked to Plane Work Item(s)

• (WEB-7805) Security: Remove hardcoded SECRET_KEY from deployment manifests (GHSA-cmwv-pjmw-8483)

This comment was auto-generated by Plane