From 8ad38f8f4d3d73a78d006d41f74eea5ef74f8476 Mon Sep 17 00:00:00 2001
From: Codex Security Bot <codex-security-bot@example.com>
Date: Sun, 8 Mar 2026 07:59:45 +0000
Subject: [PATCH] security: require vault token via environment variable

---
 cmdb-api/api/lib/secrets/vault.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cmdb-api/api/lib/secrets/vault.py b/cmdb-api/api/lib/secrets/vault.py
index a5746f55..d2ed2cd3 100644
--- a/cmdb-api/api/lib/secrets/vault.py
+++ b/cmdb-api/api/lib/secrets/vault.py
@@ -2,6 +2,7 @@
 from base64 import b64encode
 
 import hvac
+import os
 
 
 class VaultClient:
@@ -128,7 +129,9 @@ def decode_base64(cls, encoded_string):
 
 if __name__ == "__main__":
     _base_url = "http://localhost:8200"
-    _token = "your token"
+    _token = os.environ.get("VAULT_TOKEN", "")
+    if not _token:
+        raise RuntimeError("VAULT_TOKEN is required")
 
     _path = "test001"
     # Example