From 942aa8b36bed3db4d95adf007ded0e7bfba61e59 Mon Sep 17 00:00:00 2001 From: Bastien Chanot Date: Wed, 27 May 2026 18:51:19 +0200 Subject: [PATCH] docs(memory): record scrubbed OpenRouter key as BLK-002 Co-Authored-By: Claude Opus 4.7 (1M context) --- .claude/memory/blockers.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.claude/memory/blockers.md b/.claude/memory/blockers.md index 29c4ecd..196ff7b 100644 --- a/.claude/memory/blockers.md +++ b/.claude/memory/blockers.md @@ -7,3 +7,10 @@ Friction + root cause + status. Caveman + English. undefined variable on `:ClassC Foo`. `GenerateClassH` correct (uses `a:name`). Not fixed — vim domain, out of onboard scope (user said fix install.sh only). Fix: prefix all with `a:`. Status: open, logged in TODO P2. + +## BLK-002 — hardcoded OpenRouter key in claude-provider — RESOLVED (key rotation pending user) +2026-05-27. `~/.local/bin/claude-provider` had live `sk-or-v1-...` key in heredoc. Adding to +repo (remote git.bchanot.fr) would leak it. Root cause: key inlined in `write_openrouter`. +Fix: repo copy `bin/claude-provider` reads `${OPENROUTER_API_KEY:?...}` from env; key never in +repo. Verified `git grep sk-or` clean. Status: resolved in repo. ACTION user: revoke old key at +openrouter.ai (compromised — was in plaintext + exposed in chat).