FRE-4807: Remediate security review Medium findings

- Add SHA256 verification for k6 binary download (supply chain integrity)
- Remove literal 'test-token' fallback for API_TOKEN in CI workflow;
  add validation step that fails if LOAD_TEST_API_TOKEN secret is missing
- Replace 'test-token' fallback with empty string + warning in run-all.sh
- Replace 'test-token' fallback with empty string in all 4 service scripts

.github/workflows/load-test.yml

@@ -36,17 +36,29 @@ jobs:
 
       - name: Install k6
         run: |
-          curl -s https://github.com/grafana/k6/releases/download/v0.50.0/k6-linux-amd64.tar.gz -L | tar xz
+          K6_VERSION="v0.50.0"
+          K6_URL="https://github.com/grafana/k6/releases/download/${K6_VERSION}/k6-linux-amd64.tar.gz"
+          K6_SHA256="d950a2408d0be2dc81aef397a7c984a1d84271d7ae94ff7a47d08371904f0800"
+          curl -sSL "${K6_URL}" -o k6.tar.gz
+          echo "${K6_SHA256}  k6.tar.gz" | sha256sum --check --strict -
+          tar xzf k6.tar.gz
           sudo mv k6 /usr/local/bin/
           k6 version
 
+      - name: Validate required secrets
+        run: |
+          if [ -z "$API_TOKEN" ]; then
+            echo "❌ LOAD_TEST_API_TOKEN secret is not set"
+            exit 1
+          fi
+
       - name: Run load tests
         run: |
           chmod +x scripts/load-test/run-all.sh
           ./scripts/load-test/run-all.sh ${{ github.event.inputs.service || 'all' }}
         env:
           LOAD_TEST_BASE_URL: ${{ secrets.LOAD_TEST_BASE_URL || 'http://localhost:3000' }}
-          API_TOKEN: ${{ secrets.LOAD_TEST_API_TOKEN || 'test-token' }}
+          API_TOKEN: ${{ secrets.LOAD_TEST_API_TOKEN }}
           TARGET_RPS: ${{ github.event.inputs.target_rps || '500' }}
           DURATION: ${{ github.event.inputs.duration || '300s' }}
           K6_CLOUD_TOKEN: ${{ secrets.K6_CLOUD_TOKEN || '' }}

scripts/load-test/run-all.sh

@@ -16,7 +16,10 @@ mkdir -p "$REPORT_DIR"
 BASE_URL="${LOAD_TEST_BASE_URL:-http://localhost:3000}"
 TARGET_RPS="${TARGET_RPS:-500}"
 DURATION="${DURATION:-300s}"
-API_TOKEN="${API_TOKEN:-test-token}"
+API_TOKEN="${API_TOKEN:-}"
+if [[ -z "$API_TOKEN" ]]; then
+  echo "⚠️ API_TOKEN not set (load tests will run without auth)"
+fi
 
 echo "=== ShieldAI Combined Load Test ==="
 echo "Timestamp: $TIMESTAMP"

scripts/load-test/services/api.js

@@ -30,7 +30,7 @@ export const options = {
 };
 
 const BASE_URL = getBaseUrl();
-const AUTH_TOKEN = __ENV.API_TOKEN || 'test-token';
+const AUTH_TOKEN = __ENV.API_TOKEN || '';
 
 const headers = {
   'Content-Type': 'application/json',

scripts/load-test/services/darkwatch.js

@@ -32,7 +32,7 @@ export const options = {
 };
 
 const BASE_URL = getBaseUrl();
-const AUTH_TOKEN = __ENV.API_TOKEN || 'test-token';
+const AUTH_TOKEN = __ENV.API_TOKEN || '';
 
 const headers = {
   'Content-Type': 'application/json',

scripts/load-test/services/spamshield.js

@@ -32,7 +32,7 @@ export const options = {
 };
 
 const BASE_URL = getBaseUrl();
-const AUTH_TOKEN = __ENV.API_TOKEN || 'test-token';
+const AUTH_TOKEN = __ENV.API_TOKEN || '';
 
 const headers = {
   'Content-Type': 'application/json',

scripts/load-test/services/voiceprint.js

@@ -32,7 +32,7 @@ export const options = {
 };
 
 const BASE_URL = getBaseUrl();
-const AUTH_TOKEN = __ENV.API_TOKEN || 'test-token';
+const AUTH_TOKEN = __ENV.API_TOKEN || '';
 
 const headers = {
   'Content-Type': 'application/json',