From 81173d7ab5823ab66a858ae5a034908c563e24f1 Mon Sep 17 00:00:00 2001
From: Michael Freno <michaelt.freno@gmail.com>
Date: Wed, 13 May 2026 13:39:57 -0400
Subject: [PATCH] FRE-4807: Remediate security review Medium findings

- Add SHA256 verification for k6 binary download (supply chain integrity)
- Remove literal 'test-token' fallback for API_TOKEN in CI workflow;
  add validation step that fails if LOAD_TEST_API_TOKEN secret is missing
- Replace 'test-token' fallback with empty string + warning in run-all.sh
- Replace 'test-token' fallback with empty string in all 4 service scripts
---
 .github/workflows/load-test.yml          | 16 ++++++++++++++--
 scripts/load-test/run-all.sh             |  5 ++++-
 scripts/load-test/services/api.js        |  2 +-
 scripts/load-test/services/darkwatch.js  |  2 +-
 scripts/load-test/services/spamshield.js |  2 +-
 scripts/load-test/services/voiceprint.js |  2 +-
 6 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/load-test.yml b/.github/workflows/load-test.yml
index b706ccc..0a4faef 100644
--- a/.github/workflows/load-test.yml
+++ b/.github/workflows/load-test.yml
@@ -36,17 +36,29 @@ jobs:
 
       - name: Install k6
         run: |
-          curl -s https://github.com/grafana/k6/releases/download/v0.50.0/k6-linux-amd64.tar.gz -L | tar xz
+          K6_VERSION="v0.50.0"
+          K6_URL="https://github.com/grafana/k6/releases/download/${K6_VERSION}/k6-linux-amd64.tar.gz"
+          K6_SHA256="d950a2408d0be2dc81aef397a7c984a1d84271d7ae94ff7a47d08371904f0800"
+          curl -sSL "${K6_URL}" -o k6.tar.gz
+          echo "${K6_SHA256}  k6.tar.gz" | sha256sum --check --strict -
+          tar xzf k6.tar.gz
           sudo mv k6 /usr/local/bin/
           k6 version
 
+      - name: Validate required secrets
+        run: |
+          if [ -z "$API_TOKEN" ]; then
+            echo "❌ LOAD_TEST_API_TOKEN secret is not set"
+            exit 1
+          fi
+
       - name: Run load tests
         run: |
           chmod +x scripts/load-test/run-all.sh
           ./scripts/load-test/run-all.sh ${{ github.event.inputs.service || 'all' }}
         env:
           LOAD_TEST_BASE_URL: ${{ secrets.LOAD_TEST_BASE_URL || 'http://localhost:3000' }}
-          API_TOKEN: ${{ secrets.LOAD_TEST_API_TOKEN || 'test-token' }}
+          API_TOKEN: ${{ secrets.LOAD_TEST_API_TOKEN }}
           TARGET_RPS: ${{ github.event.inputs.target_rps || '500' }}
           DURATION: ${{ github.event.inputs.duration || '300s' }}
           K6_CLOUD_TOKEN: ${{ secrets.K6_CLOUD_TOKEN || '' }}
diff --git a/scripts/load-test/run-all.sh b/scripts/load-test/run-all.sh
index b573048..28f20bc 100755
--- a/scripts/load-test/run-all.sh
+++ b/scripts/load-test/run-all.sh
@@ -16,7 +16,10 @@ mkdir -p "$REPORT_DIR"
 BASE_URL="${LOAD_TEST_BASE_URL:-http://localhost:3000}"
 TARGET_RPS="${TARGET_RPS:-500}"
 DURATION="${DURATION:-300s}"
-API_TOKEN="${API_TOKEN:-test-token}"
+API_TOKEN="${API_TOKEN:-}"
+if [[ -z "$API_TOKEN" ]]; then
+  echo "⚠️ API_TOKEN not set (load tests will run without auth)"
+fi
 
 echo "=== ShieldAI Combined Load Test ==="
 echo "Timestamp: $TIMESTAMP"
diff --git a/scripts/load-test/services/api.js b/scripts/load-test/services/api.js
index dfbd86c..7d47460 100644
--- a/scripts/load-test/services/api.js
+++ b/scripts/load-test/services/api.js
@@ -30,7 +30,7 @@ export const options = {
 };
 
 const BASE_URL = getBaseUrl();
-const AUTH_TOKEN = __ENV.API_TOKEN || 'test-token';
+const AUTH_TOKEN = __ENV.API_TOKEN || '';
 
 const headers = {
   'Content-Type': 'application/json',
diff --git a/scripts/load-test/services/darkwatch.js b/scripts/load-test/services/darkwatch.js
index 4fb6cf9..d04f1e5 100644
--- a/scripts/load-test/services/darkwatch.js
+++ b/scripts/load-test/services/darkwatch.js
@@ -32,7 +32,7 @@ export const options = {
 };
 
 const BASE_URL = getBaseUrl();
-const AUTH_TOKEN = __ENV.API_TOKEN || 'test-token';
+const AUTH_TOKEN = __ENV.API_TOKEN || '';
 
 const headers = {
   'Content-Type': 'application/json',
diff --git a/scripts/load-test/services/spamshield.js b/scripts/load-test/services/spamshield.js
index 020588b..c00640e 100644
--- a/scripts/load-test/services/spamshield.js
+++ b/scripts/load-test/services/spamshield.js
@@ -32,7 +32,7 @@ export const options = {
 };
 
 const BASE_URL = getBaseUrl();
-const AUTH_TOKEN = __ENV.API_TOKEN || 'test-token';
+const AUTH_TOKEN = __ENV.API_TOKEN || '';
 
 const headers = {
   'Content-Type': 'application/json',
diff --git a/scripts/load-test/services/voiceprint.js b/scripts/load-test/services/voiceprint.js
index 03b0c36..d042201 100644
--- a/scripts/load-test/services/voiceprint.js
+++ b/scripts/load-test/services/voiceprint.js
@@ -32,7 +32,7 @@ export const options = {
 };
 
 const BASE_URL = getBaseUrl();
-const AUTH_TOKEN = __ENV.API_TOKEN || 'test-token';
+const AUTH_TOKEN = __ENV.API_TOKEN || '';
 
 const headers = {
   'Content-Type': 'application/json',