From 05aaf7a85e3d266d61750528afba48a29d6d7992 Mon Sep 17 00:00:00 2001 From: Swifty Date: Tue, 17 Feb 2026 11:16:43 +0100 Subject: [PATCH] fix(backend): Rename LINEAR_API_KEY to COPILOT_LINEAR_API_KEY to prevent global access (#12143) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `LINEAR_API_KEY` environment variable name is too generic — it matches the key name used by integrations/blocks, meaning that if set globally, it could inadvertently grant all users access to Linear through the blocks system rather than restricting it to the copilot feature-request tool. This renames the setting to `COPILOT_LINEAR_API_KEY` to make it clear this key is scoped exclusively to the copilot's feature-request functionality, preventing it from being picked up as a general-purpose Linear credential. ### Changes 🏗️ - Renamed `linear_api_key` → `copilot_linear_api_key` in `Secrets` settings model (`backend/util/settings.py`) - Updated all references in the copilot feature-request tool (`backend/api/features/chat/tools/feature_requests.py`) ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Verified the rename is consistent across all references (settings + feature_requests tool) - [x] No other files reference the old `linear_api_key` setting name #### For configuration changes: - [x] `.env.default` is updated or already compatible with my changes - [x] I have included a list of my configuration changes in the PR description (under **Changes**) > **Note:** The env var changes from `LINEAR_API_KEY` to `COPILOT_LINEAR_API_KEY`. Any deployment using the old name will need to update accordingly.

Greptile Summary

 Renamed `LINEAR_API_KEY` to `COPILOT_LINEAR_API_KEY` in settings and the copilot feature-request tool to prevent unintended access through Linear blocks. **Key changes:** - Updated `Secrets.linear_api_key` → `Secrets.copilot_linear_api_key` in `backend/util/settings.py` - Updated all references in `backend/api/features/chat/tools/feature_requests.py` - The rename prevents the copilot Linear key from being picked up by the Linear blocks integration (which uses `LINEAR_API_KEY` via `ProviderBuilder` in `backend/blocks/linear/_config.py`) **Issues found:** - `.env.default` still references `LINEAR_API_KEY` instead of `COPILOT_LINEAR_API_KEY` - Frontend styleguide has a hardcoded error message with the old variable name

Confidence Score: 3/5

 - Generally safe but requires fixing `.env.default` before deployment - The code changes are correct and achieve the intended security improvement by preventing scope leakage. However, the PR is incomplete - `.env.default` wasn't updated (critical for deployment) and a frontend error message reference was missed. These issues will cause configuration problems for anyone deploying with the new variable name. - Check `autogpt_platform/backend/.env.default` and `autogpt_platform/frontend/src/app/(platform)/copilot/styleguide/page.tsx` - both need updates to match the renamed variable

Flowchart

 ```mermaid flowchart TD A[".env file
COPILOT_LINEAR_API_KEY"] --> B["Secrets model
copilot_linear_api_key"] B --> C["feature_requests.py
_get_linear_config()"] C --> D["Creates APIKeyCredentials
for copilot feature requests"] E[".env file
LINEAR_API_KEY"] --> F["ProviderBuilder
in blocks/linear/_config.py"] F --> G["Linear blocks integration
for user workflows"] style A fill:#90EE90 style B fill:#90EE90 style C fill:#90EE90 style D fill:#90EE90 style E fill:#FFD700 style F fill:#FFD700 style G fill:#FFD700 ```
Last reviewed commit: 86dc57a --- .../backend/api/features/chat/tools/feature_requests.py | 6 +++--- autogpt_platform/backend/backend/util/settings.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/autogpt_platform/backend/backend/api/features/chat/tools/feature_requests.py b/autogpt_platform/backend/backend/api/features/chat/tools/feature_requests.py index 95f1eb1fbe..8346df1177 100644 --- a/autogpt_platform/backend/backend/api/features/chat/tools/feature_requests.py +++ b/autogpt_platform/backend/backend/api/features/chat/tools/feature_requests.py @@ -104,8 +104,8 @@ def _get_linear_config() -> tuple[LinearClient, str, str]: Raises RuntimeError if any required setting is missing. """ secrets = _get_settings().secrets - if not secrets.linear_api_key: - raise RuntimeError("LINEAR_API_KEY is not configured") + if not secrets.copilot_linear_api_key: + raise RuntimeError("COPILOT_LINEAR_API_KEY is not configured") if not secrets.linear_feature_request_project_id: raise RuntimeError("LINEAR_FEATURE_REQUEST_PROJECT_ID is not configured") if not secrets.linear_feature_request_team_id: @@ -114,7 +114,7 @@ def _get_linear_config() -> tuple[LinearClient, str, str]: credentials = APIKeyCredentials( id="system-linear", provider="linear", - api_key=SecretStr(secrets.linear_api_key), + api_key=SecretStr(secrets.copilot_linear_api_key), title="System Linear API Key", ) client = LinearClient(credentials=credentials) diff --git a/autogpt_platform/backend/backend/util/settings.py b/autogpt_platform/backend/backend/util/settings.py index c5cca87b6e..20ee10f0c3 100644 --- a/autogpt_platform/backend/backend/util/settings.py +++ b/autogpt_platform/backend/backend/util/settings.py @@ -662,7 +662,7 @@ class Secrets(UpdateTrackingModel["Secrets"], BaseSettings): mem0_api_key: str = Field(default="", description="Mem0 API key") elevenlabs_api_key: str = Field(default="", description="ElevenLabs API key") - linear_api_key: str = Field( + copilot_linear_api_key: str = Field( default="", description="Linear API key for system-level operations" ) linear_feature_request_project_id: str = Field(